<<< Date Index >>>     <<< Thread Index >>>

Re: Fwd: Re: Segmentation fault



Mhhh... This patch looks like it gets a couple of things right,
hence I'm committing it.  If it breaks things, we can still back out.
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.





On 2005-05-25 18:39:05 +0200, Thomas Glanzmann wrote:
> From: Thomas Glanzmann <sithglan@xxxxxxxxxxxxxxxxxxxx>
> To: Alex Muntada <alexm@xxxxxxxxx>, Mutt Developers <mutt-dev@xxxxxxxx>,
>       Brendan Cully <brendan@xxxxxxxxxx>,
>       Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> Date: Wed, 25 May 2005 18:39:05 +0200
> Subject: Re: Fwd: Re: Segmentation fault
> Mail-Followup-To: Alex Muntada <alexm@xxxxxxxxx>,
>       Mutt Developers <mutt-dev@xxxxxxxx>,
>       Brendan Cully <brendan@xxxxxxxxxx>,
>       Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> X-Spam-Level: 
> 
> Hello Alex,
> 
> ==23030== Invalid write of size 4
> ==23030==    at 0x808EA84: mx_update_context (mx.c:1581)
> ==23030==    by 0x80D677C: imap_read_headers (message.c:317)
> ==23030==    by 0x80D27F0: imap_cmd_finish (command.c:266)
> ==23030==    by 0x80D53D7: imap_check_mailbox (imap.c:1181)
> ==23030==    by 0x808E53F: mx_check_mailbox (mx.c:1365)
> ==23030==    by 0x806467E: mutt_index_menu (curs_main.c:479)
> ==23030==    by 0x8082154: main (main.c:934)
> ==23030==  Address 0x1BE58E40 is 0 bytes after a block of size 1480 alloc'd
> ==23030==    at 0x1B902A2F: realloc (vg_replace_malloc.c:197)
> ==23030==    by 0x80B9467: safe_realloc (lib.c:109)
> ==23030==    by 0x808E95A: mx_alloc_memory (mx.c:1547)
> ==23030==    by 0x80D61D3: imap_read_headers (message.c:118)
> ==23030==    by 0x80D27F0: imap_cmd_finish (command.c:266)
> ==23030==    by 0x80D53D7: imap_check_mailbox (imap.c:1181)
> ==23030==    by 0x808E53F: mx_check_mailbox (mx.c:1365)
> ==23030==    by 0x806467E: mutt_index_menu (curs_main.c:479)
> ==23030==    by 0x8082154: main (main.c:934)
> ==23030== Warning: invalid file descriptor -1 in syscall close()
> ==3476== 
> 
> Brendan, can you say something to this one? It seems that there isn't enough
> space allocated to handle all the headers. I included a maybe work
> around in my patch.
> 
> ==4365== Invalid read of size 1
> ==4365==    at 0x1B901A60: strcmp (mac_replace_strmem.c:249)
> ==4365==    by 0x80BA2AC: mutt_strcmp (lib.c:637)
> ==4365==    by 0x807A4F2: hash_delete_hash (hash.c:127)
> 
> ==4365== Invalid read of size 1
> ==4365==    at 0x1B901A63: strcmp (mac_replace_strmem.c:250)
> ==4365==    by 0x80BA2AC: mutt_strcmp (lib.c:637)
> ==4365==    by 0x807A474: hash_find_hash (hash.c:108)
> 
> these two come from my faulty patch, I guess. So here is another patch which
> hopefully doesn't break anything. I tried a much simpler approch. However I
> still don't see how the old one was broke. Apply diff against CVS HEAD;
> or delta against your current tree.
> 
> Sorting mailbox...
> Program received signal SIGSEGV, Segmentation fault.
> 0x080b738f in mutt_sort_threads (ctx=0x8103d90, init=0) at thread.c:859
> 859             tmp = new->next;
> (gdb) p new
> $1 = (THREAD *) 0x162
> (gdb) i s
> #0  0x080b738f in mutt_sort_threads (ctx=0x8103d90, init=0) at thread.c:859
> #1  0x080b4561 in mutt_sort_headers (ctx=0x8103d90, init=0) at sort.c:291
> #2  0x080640b7 in update_index (menu=0x8172740, ctx=0x8103d90, check=1, 
>     oldcount=343, index_hint=330) at curs_main.c:317
> #3  0x08064712 in mutt_index_menu () at curs_main.c:492
> #4  0x08082155 in main (argc=1, argv=0xbfffe404) at main.c:934
> #5  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
> (gdb) p thread
> $2 = (THREAD *) 0x8126e70
> (gdb) p *thread
> $3 = {fake_thread = 0, duplicate_thread = 0, sort_children = 0, 
>   check_subject = 0, visible = 0, deep = 1, subtree_visible = 1, 
>   next_subtree_visible = 1, parent = 0xbfffd420, child = 0x162, 
>   next = 0x8126e90, prev = 0x8129b50, message = 0x81688a0, 
>   sort_key = 0x81688a0}
> (gdb) p tmp
> $4 = (THREAD *) 0x0
> 
> no idea where this comes from.
> 
>       Thomas

> diff --git a/hash.c b/hash.c
> --- a/hash.c
> +++ b/hash.c
> @@ -114,8 +114,12 @@ void *hash_find_hash (const HASH * table
>  void hash_delete_hash (HASH * table, int hash, const char *key, const void 
> *data,
>                      void (*destroy) (void *))
>  {
> -  struct hash_elem *ptr = table->table[hash];
> -  struct hash_elem **last = &table->table[hash];
> +  struct hash_elem *ptr;
> +  struct hash_elem **last;
> +
> +again:
> +  ptr  = table->table[hash];
> +  last = &table->table[hash];
>  
>    for (; ptr; last = &ptr->next, ptr = ptr->next)
>    {
> @@ -128,7 +132,7 @@ void hash_delete_hash (HASH * table, int
>        *last = ptr->next;
>        if (destroy) destroy (ptr->data);
>        FREE (&ptr);
> -      return;
> +      goto again;
>      }
>    }
>  }
> diff --git a/imap/message.c b/imap/message.c
> --- a/imap/message.c
> +++ b/imap/message.c
> @@ -314,7 +314,10 @@ int imap_read_headers (IMAP_DATA* idata,
>    fclose(fp);
>  
>    if (ctx->msgcount > oldmsgcount)
> +  {
> +    mx_alloc_memory(ctx);
>      mx_update_context (ctx, ctx->msgcount - oldmsgcount);
> +  }
>  
>    return msgend;
>  }
> @@ -469,6 +472,8 @@ int imap_fetch_message (MESSAGE *msg, CO
>      hash_delete (ctx->id_hash, h->env->message_id, h, NULL);
>    if (ctx->subj_hash && h->env->real_subj)
>      hash_delete (ctx->subj_hash, h->env->real_subj, h, NULL);
> +  if (ctx->thread_hash && h->env->message_id)
> +    hash_delete (ctx->thread_hash, h->env->message_id, NULL, NULL);
>    mutt_free_envelope (&h->env);
>    h->env = mutt_read_rfc822_header (msg->fp, h, 0, 0);
>    if (ctx->id_hash && h->env->message_id)
> diff --git a/imap/util.c b/imap/util.c
> --- a/imap/util.c
> +++ b/imap/util.c
> @@ -138,11 +138,11 @@ int imap_parse_path (const char* path, I
>      {
>        *c = '\0';
>        strfcpy (mx->account.user, tmp, sizeof (mx->account.user));
> -      strfcpy (tmp, c+1, sizeof (tmp));
> +      c++;
>        mx->account.flags |= M_ACCT_USER;
>      }
>    
> -    if ((n = sscanf (tmp, "%127[^:/]%127s", mx->account.host, tmp)) < 1)
> +    if ((n = sscanf (c, "%127[^:/]%127s", mx->account.host, c)) < 1)
>      {
>        dprint (1, (debugfile, "imap_parse_path: NULL host in %s\n", path));
>        FREE (&mx->mbox);
> @@ -150,11 +150,11 @@ int imap_parse_path (const char* path, I
>      }
>    
>      if (n > 1) {
> -      if (sscanf (tmp, ":%hu%127s", &(mx->account.port), tmp) >= 1)
> +      if (sscanf (c, ":%hu%127s", &(mx->account.port), c) >= 1)
>       mx->account.flags |= M_ACCT_PORT;
> -      if (sscanf (tmp, "/%s", tmp) == 1)
> +      if (sscanf (c, "/%s", c) == 1)
>        {
> -     if (!ascii_strncmp (tmp, "ssl", 3))
> +     if (!ascii_strncmp (c, "ssl", 3))
>         mx->account.flags |= M_ACCT_SSL;
>       else
>       {

> diff --git a/hash.c b/hash.c
> --- a/hash.c
> +++ b/hash.c
> @@ -114,8 +114,12 @@ void *hash_find_hash (const HASH * table
>  void hash_delete_hash (HASH * table, int hash, const char *key, const void 
> *data,
>                      void (*destroy) (void *))
>  {
> -  struct hash_elem *ptr = table->table[hash];
> -  struct hash_elem **last = &table->table[hash];
> +  struct hash_elem *ptr;
> +  struct hash_elem **last;
> +
> +again:
> +  ptr  = table->table[hash];
> +  last = &table->table[hash];
>  
>    for (; ptr; last = &ptr->next, ptr = ptr->next)
>    {
> @@ -123,15 +127,11 @@ void hash_delete_hash (HASH * table, int
>       * required for the case where we have multiple entries with the same
>       * key
>       */
> -again:
>      if ((data == ptr->data) || (!data && mutt_strcmp (ptr->key, key) == 0))
>      {
>        *last = ptr->next;
>        if (destroy) destroy (ptr->data);
>        FREE (&ptr);
> -      ptr = *last;
> -      if (! ptr)
> -        return;
>        goto again;
>      }
>    }
> diff --git a/imap/message.c b/imap/message.c
> --- a/imap/message.c
> +++ b/imap/message.c
> @@ -314,7 +314,10 @@ int imap_read_headers (IMAP_DATA* idata,
>    fclose(fp);
>  
>    if (ctx->msgcount > oldmsgcount)
> +  {
> +    mx_alloc_memory(ctx);
>      mx_update_context (ctx, ctx->msgcount - oldmsgcount);
> +  }
>  
>    return msgend;
>  }


Attachment: pgpcnsZcy0mrb.pgp
Description: PGP signature