<<< Date Index >>>     <<< Thread Index >>>

Fwd: Bug#237426: mutt: Mutt segfaults when trying to attach from an inaccessible directory



This was received at the Debian BTS. I couldn't find it reported in
mutt's BTS, so I forward it to you.

Thanks.

P.S.: Please keep 237426-forwarded@xxxxx CC'ed.

----- Forwarded message from Matthijs Kooijman <m.kooijman@xxxxxxxxxxxxxxxxxx> 
-----

From: Matthijs Kooijman <m.kooijman@xxxxxxxxxxxxxxxxxx>
Reply-To: Matthijs Kooijman <m.kooijman@xxxxxxxxxxxxxxxxxx>,
        237426@xxxxxxxxxxxxxxx
To: Marco d'Itri <md@xxxxxxxx>
Cc: 237426@xxxxxxxxxxxxxxx
Date: Thu, 11 Mar 2004 23:21:51 +0100
Subject: Bug#237426: mutt: Mutt segfaults when trying to attach from an
    inaccessible directory
User-Agent: Mutt/1.5.5.1+cvs20040105i

> I cannot reproduce this. Please compile mutt and get a stack trace from
> the binary with debug symbols.
*grin* Probably hexed because I said it was simple ;-)
I have been digging some, and I already found the error. For
completeness, here is a backtrace:

#0  safe_free (ptr=0x10) at lib.c:125
#1  0x080592e0 in destroy_state (state=0xbfffd520) at browser.c:63
#2  0x0805aa53 in _mutt_select_file (f=0xbfffdb20 "", flen=256, 
    flags=135160096, files=0xbfffd99c, numfiles=0xbfffd9a0) at browser.c:958
#3  0x0806886e in _mutt_enter_fname (prompt=0x80d28d4 "Attach file", 
    buf=0xbfffdb20 "", blen=256, redraw=0x8146c34, buffy=0, multiple=1, 
    files=0xbfffd99c, numfiles=0xbfffd9a0) at curs_lib.c:441
#4  0x08063be7 in mutt_compose_menu (msg=0x81445f0, fcc=0xbfffe190 "=Sent", 
    fcclen=256, cur=0x0) at compose.c:791
#5  0x080a5f45 in ci_send_message (flags=0, msg=0x81445f0, tempfile=0x0, 
    ctx=0x811df28, cur=0x0) at send.c:1399
#6  0x0806b3bf in mutt_index_menu () at curs_main.c:1964
#7  0x08082c80 in main (argc=1, argv=0xbffff504) at main.c:925

The error is caused at browser.c:958. When an unreadable directory is
found, an error is displayed, and the `state' is deleted. Only, ten
lines or what above that line 958 the state is already deleted (because
it is no longer necessary?). This obviously creates a problem. Simply
removing the `destroy_state' call at line 958 appears to fix the
problem, the segfault is the gone. I have already checked the CVS
version, it still had both destroy_state calls (although I have nog
compiled the latest CVS version).
You should be able to fix this now?

Which still leaves the matter of reproducability, for you must agree
that the code as is, is wrong.
So, what I do to get the error:
Start mutt
Press 'm'
Fill in anything for recipient and subject
Fill in anything as message body to prevent mutt aborting the message
Press 'a'
Press '?'
Press 'c'
Enter `/var/spool/exim' as directory to chdir to
Press enter
Voila, segfault. At least with me. Instead of /var/spool/exim you could
take another directory without read access. (`mkdir /tmp/blaat && chmod
000 /tmp/blaat`, for example).

I'm curious wether you can reproduce it now, if not maybe your system
doesn't generate a segfault for deleting a pointer twice? What is your
OS? I have Debian/unstable, linux 2.4.22, no funky patches applied (or
maybe preemptive patch, not sure)

Btw, quick reply ;-) Quick replies are good...

Greetings, from a (seemingly) fixed mutt,

Matthijs




----- End forwarded message -----

-- 
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
Every program has at least one bug and can be shortened by at least one
instruction -- from which, by induction, one can deduce that every program can
be reduced to one instruction which doesn't work.