mutt/2272: NUll pointer references

To: Mutt Developers <mutt-dev@xxxxxxxx>
Subject: mutt/2272: NUll pointer references
From: fabrice.desclaux@xxxxxxxx
Date: Thu, 08 Jun 2006 13:29:51 +0200
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: bug-any@xxxxxxxxxxxxx
References: <mutt-pr-2272@xxxxxxxxxxxxx>
Reply-to: bug-any@xxxxxxxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

>Number:         2272
>Notify-List:    
>Category:       mutt
>Synopsis:       NUll pointer references
>Confidential:   no
>Severity:       normal
>Priority:       medium
>Responsible:    mutt-dev
>State:          open
>Keywords:       
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 08 13:29:50 +0200 2006
>Originator:     desclaux fabrice
>Release:        mutt-1.5.11
>Organization:
EADS
>Environment:
linux 2.6
>Description:
In crypt.c: line 595:
  if (!h)
  {
    for (i = 0; i < Context->vcount; i++)
    {
      .....
          if (Context->hdrs[Context->v2r[i]]->env->from)
            tmp = mutt_expand_aliases (h->env->from);
      .....

In this test, h is a null pointer, so mutt_expand_aliases (h->env->from); will 
seg fault in reading at adress 0x52


in assembly, the compilator see the null value and generate memory access 
without base:(intel style)
        mov     %eax, DWORD PTR %ds:52
        mov     %eax, DWORD PTR [%eax+4]

>How-To-Repeat:
If the function void crypt_extract_keys_from_messages (HEADER * h) is called 
with a null pointer, the code test this null pointer and READ at this pointer, 
maybe there is no ! in the test code.

>Fix:
maybe you wanted to do if (h) ....
>Add-To-Audit-Trail:

>Unformatted:

Prev by Date: mutt/2270: docs show - instead of _ in same cases
Next by Date: Re: mutt/2272: NUll pointer references
Previous by thread: Re: mutt/2270: docs show - instead of _ in same cases
Next by thread: Re: mutt/2272: NUll pointer references
Index(es):
- Date
- Thread