bug#1909: marked as done (mutt-1.5.6i: Mutt segfaults in mutt_check_traditional_pgp())

To: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
Subject: bug#1909: marked as done (mutt-1.5.6i: Mutt segfaults in mutt_check_traditional_pgp())
From: bugmaster@xxxxxxx (GUUG bug Tracking System)
Date: Sat, 26 Jun 2004 11:04:29 +0200
Cc: <mutt-dev@xxxxxxxx>
In-reply-to: <20040626084835.GA29363@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <20040626084835.GA29363@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <200406260812.i5Q8Ckkn012432@xxxxxxxxxxxxxxxx>
Sender: <bugs@xxxxxxxxxxxxxxxxxxxx>
Your message dated Sat, 26 Jun 2004 10:48:35 +0200
with message-id <20040626084835.GA29363@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
and subject line bug#1909: mutt-1.5.6i: Mutt segfaults in 
mutt_check_traditional_pgp()
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Herr der Kaefer
(administrator, GUUG bugs database)

--------------------------------------
Received: (at submit) by bugs.guug.de; 26 Jun 2004 08:10:16 +0000
>From ddm@xxxxxxxxxxxxxxxx Sat Jun 26 10:10:11 2004
Received: from thoth.sophic.org ([216.220.103.164])
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1Be8GI-0002CM-00
        for <submit@xxxxxxxxxxxx>; Sat, 26 Jun 2004 10:10:11 +0200
Received: from thoth.sophic.org (localhost [127.0.0.1])
        by thoth.sophic.org (8.12.8/8.12.8) with ESMTP id i5Q8Cl0F012434
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Sat, 26 Jun 2004 04:12:47 -0400
Received: (from ddm@localhost)
        by thoth.sophic.org (8.12.8/8.12.8/Submit) id i5Q8Ckkn012432;
        Sat, 26 Jun 2004 17:12:46 +0900
Date: Sat, 26 Jun 2004 17:12:46 +0900
Message-Id: <200406260812.i5Q8Ckkn012432@xxxxxxxxxxxxxxxx>
From: invalid@xxxxxxxxxxxxxx
Subject: mutt-1.5.6i: Mutt segfaults in mutt_check_traditional_pgp()
To: submit@xxxxxxxxxxxx
X-Spam-Status: No, hits=-4.1 required=4.0
        tests=AWL,BAYES_01,NO_REAL_NAME
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Package: mutt
Version: 1.5.6i
Severity: important

-- Please type your report below this line

While I was researching why my pgp-auto-decode patch causes a segfault when
(for example) trying to reply to multiple tagged messages, I discovered the
problem actually lies in mutt_check_traditional_pgp().  I'm not familiar
enough with the data structures involved to suggest a proper fix, but I can at
least give you all the relevant details...

This bug occurs in the latest (or at least a fairly recent) CVS snapshot.
Mutt segfaults in mutt_check_traditional_pgp() when the user tags multiple
messages and does a tag-ESC-P in order to check multiple messages.  I was able
to reproduce this behavior every time with unpatched CVS mutt sources.

The problem is that the function can be passed a NULL, but it doesn't check to
see if the pointer is null before dereferencing it.  It happens here:

Program received signal SIGSEGV, Segmentation fault.
0x08056c6e in mutt_check_traditional_pgp (h=0x0, redraw=0x8142ae4)
    at commands.c:970
970           if (Context->hdrs[Context->v2r[i]]->tagged && !(h->security &
PGP_TRADITIONAL_CHECKED))
(gdb) bt
#0  0x08056c6e in mutt_check_traditional_pgp (h=0x0, redraw=0x8142ae4)
    at commands.c:970
#1  0x0805ff97 in mutt_index_menu () at curs_main.c:1890
#2  0x080709be in main (argc=256, argv=0xbffff0d4) at main.c:907
#3  0x401eb5cd in __libc_start_main () from /lib/libc.so.6

As you can see from the backtrace, the *h is NULL, but the contitional checks
the value of h->security without first checking to see if it is NULL.  My
guess is that the second half of this conditional should not be looking at
h->security at all, but instead some member of Context.  But I'm just
guessing...

Note that this was tested with unpatched mutt, but the information below
reflects a version of mutt which is installed elsewhere.

-- System Information
System Version: Linux thoth 2.4.20-18.9 #1 Thu May 29 08:37:23 EDT 2003 i686 
i686 i386 GNU/Linux
RedHat Release: Red Hat Linux release 9 (Shrike)

-- Build environment information

(Note: This is the build environment installed on the system
muttbug is run on.  Information may or may not match the environment
used to build mutt.)

- gcc version information
gcc
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --enable-shared --enable-threads=posix 
--disable-checking --with-system-zlib --enable-__cxa_atexit 
--host=i386-redhat-linux
Thread model: posix
gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)

- CFLAGS
-Wall -pedantic -g -O2



Mutt 1.5.6i (2004-02-01)
Copyright (C) 1996-2002 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 2.4.20-18.9 (i686) [using slang 10405]
Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  
+USE_FCNTL  -USE_FLOCK
+USE_POP  +USE_IMAP  -USE_GSS  +USE_SSL  -USE_SASL  -USE_SASL2  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  -HAVE_START_COLOR  -HAVE_TYPEAHEAD  -HAVE_BKGDSET  
-HAVE_CURS_SET  -HAVE_META  -HAVE_RESIZETERM  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  -CRYPT_BACKEND_GPGME  
+BUFFY_SIZE -EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  +LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  -HAVE_LIBIDN  +HAVE_GETSID  +HAVE_GETADDRINFO  
ISPELL="/usr/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/mutt"
SYSCONFDIR="/usr/local/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please use the flea(1) utility.


--- Begin /usr/local/etc/Muttrc
ignore "from " received content- mime-version status x-status message-id
ignore sender references return-path lines
macro index \eb '/~b ' 'search in message bodies'
macro index \cb |urlview\n 'call urlview to extract URLs out of a message'
macro pager \cb |urlview\n 'call urlview to extract URLs out of a message'
macro generic <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt 
documentation"
macro index   <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt 
documentation"
macro pager   <f1> "!less /usr/local/doc/mutt/manual.txt\n" "Show Mutt 
documentation"
--- End /usr/local/etc/Muttrc


---------------------------------------
Received: (at 1909-done) by bugs.guug.de; 26 Jun 2004 08:46:01 +0000
>From roessler+bounce@xxxxxxxxxxxxxxxxxx Sat Jun 26 10:45:25 2004
Received: from kamino.does-not-exist.org ([217.160.221.198])
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1Be8oO-0003C5-00
        for <1909-done@xxxxxxxxxxxx>; Sat, 26 Jun 2004 10:45:24 +0200
Received: from raktajino.does-not-exist.org (vb1-2.wlan.uni-bonn.de 
[131.220.201.2])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (No client certificate requested)
        by kamino.does-not-exist.org (Postfix) with ESMTP
        id 76DA519336A; Sat, 26 Jun 2004 10:48:30 +0200 (CEST)
Received: by raktajino.does-not-exist.org (Postfix, from userid 500)
        id C15F38500A; Sat, 26 Jun 2004 10:48:36 +0200 (CEST)
Date: Sat, 26 Jun 2004 10:48:35 +0200
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: invalid@xxxxxxxxxxxxxx, 1909-done@xxxxxxxxxxxx
Subject: Re: bug#1909: mutt-1.5.6i: Mutt segfaults in 
mutt_check_traditional_pgp()
Message-ID: <20040626084835.GA29363@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <200406260812.i5Q8Ckkn012432@xxxxxxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200406260812.i5Q8Ckkn012432@xxxxxxxxxxxxxxxx>
User-Agent: Mutt/1.5.6i
X-Spam-Status: No, hits=-108.4 required=4.0
        tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,
              PATCH_UNIFIED_DIFF,QUOTED_EMAIL_TEXT,REFERENCES,
              REPLY_WITH_QUOTES,USER_AGENT_MUTT,USER_IN_WHITELIST
        autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

On 2004-06-26 17:12:46 +0900, invalid@xxxxxxxxxxxxxx wrote:

> As you can see from the backtrace, the *h is NULL, but the
> contitional checks the value of h->security without first
> checking to see if it is NULL.  My guess is that the second half
> of this conditional should not be looking at h->security at all,
> but instead some member of Context.  But I'm just guessing...

This patch should fix the problem:

--- commands.c  12 Apr 2004 20:33:33 -0000      3.23
+++ commands.c  26 Jun 2004 08:44:54 -0000
@@ -966,7 +966,8 @@
   else
   {
     for (i = 0; i < Context->vcount; i++)
-      if (Context->hdrs[Context->v2r[i]]->tagged && !(h->security & 
PGP_TRADITIONAL_CHECKED))
+      if (Context->hdrs[Context->v2r[i]]->tagged && 
+         !(Context->hdrs[Context->v2r[i]]->security & PGP_TRADITIONAL_CHECKED))
        rv = _mutt_check_traditional_pgp (Context->hdrs[Context->v2r[i]], 
redraw)
          || rv;
   }


-- 
Thomas Roessler                       <roessler@xxxxxxxxxxxxxxxxxx>
Prev by Date: bug#1912: marked as done (mutt-1.3.28i: jh)
Next by Date: Processed: pgp_create_traditional documentation missing
Previous by thread: bug#1912: marked as done (mutt-1.3.28i: jh)
Next by thread: Processed: pgp_create_traditional documentation missing
Index(es):
- Date
- Thread