Re: mutt/2195: double free in rfc822_free_address() when using S/MIME encryption
The following reply was made to PR mutt/2195; it has been noted by GNATS.
From: Christoph Ludwig <ludwig@xxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx
Cc:
Subject: Re: mutt/2195: double free in rfc822_free_address() when using S/MIME
encryption
Date: Wed, 31 May 2006 13:47:48 +0200
On Thu, Mar 09, 2006 at 10:08:07AM +0100, ludwig@xxxxxxxxxxx wrote:
> >Number: 2195
> >Notify-List:
> >Category: mutt
> >Synopsis: double free in rfc822_free_address() when using S/MIME
> >encryption
[...]
>
> This particular crash happens only when I send S/MIME encrypted mails. (I
> use the gpgme backend.) I already checked that
> patch-1.5.6-ow.smime-encrypt-self.2 does not free any address, so it seems
> an unlikely culprit.
> >How-To-Repeat:
> Send S/MIME encrypted mails. Unfortunately, mutt does not always crash, so
> it is hard to repeat.
I ran mutt (built from current CVS) in valgrind. The problem seems to be
described in the following snippet from valgrind's log:
==21214== Invalid free() / delete / delete[]
==21214== at 0x1B9003C3: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==21214== by 0x80A6866: safe_free (lib.c:193)
==21214== by 0x809D2F0: ci_send_message (send.c:1745)
==21214== by 0x8061856: mutt_index_menu (curs_main.c:1943)
==21214== by 0x80799E2: main (main.c:960)
==21214== Address 0x1BFB3430 is 0 bytes inside a block of size 45 free'd
==21214== at 0x1B9003C3: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==21214== by 0x80A6866: safe_free (lib.c:193)
==21214== by 0x8053E8D: mutt_protect (crypt.c:227)
==21214== by 0x809C3C2: ci_send_message (send.c:1566)
==21214== by 0x8061856: mutt_index_menu (curs_main.c:1943)
==21214== by 0x80799E2: main (main.c:960)
==21214==
This double free is only reported if I both sign and encrypt outgoing
messages.
Regards
Christoph
--
FH Worms - University of Applied Sciences
Fachbereich Informatik / Telekommunikation
Erenburgerstr. 19, 67549 Worms, Germany