Crash in menu.c

To: mutt-dev@xxxxxxxx
Subject: Crash in menu.c
From: Rocco Rutte <pdmef@xxxxxxx>
Date: Thu, 4 Jan 2007 18:29:39 +0000
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: mutt-dev@xxxxxxxx
Organization: Berlin University of Technology
Reply-to: mutt-dev@xxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.13-pdmef (2007-01-02)

Hi,

lately I get the following crashes when trying to send a message:

  #0  0x0807b3f1 in menu_pad_string (s=0x100 <Address 0x100 out of bounds>, 
n=0) at menu.c:163
  163       mutt_format_string (s, n, cols, cols, 0, ' ', scratch, mutt_strlen 
(scratch), 1);
  (gdb) bt
  #0  0x0807b3f1 in menu_pad_string (s=0x100 <Address 0x100 out of bounds>, 
n=0) at menu.c:163
  #1  0x0807b5c0 in menu_redraw_index (menu=0x8a9aa80) at menu.c:219
  #2  0x0807c61d in menu_redraw (menu=0x8a9aa80) at menu.c:832
  #3  0x0807c69c in mutt_menuLoop (menu=0x8a9aa80) at menu.c:859
  #4  0x080bb278 in tls_negotiate (conn=0x8a93000) at mutt_ssl_gnutls.c:781
  #5  0x080bb85d in mutt_ssl_starttls (conn=0x8a93000) at mutt_ssl_gnutls.c:153
  #6  0x080b84b3 in mutt_smtp_send (from=0x0, to=0x91c7ca0, cc=0x0, bcc=0x0, 
msgfile=0xbfbfac80 "/home/pdmef/tmp/mutt/mutt-peter-1001-1588-37", eightbit=1) 
at smtp.c:384
  #7  0x0809a826 in ci_send_message (flags=5, msg=0x8a7fe80, tempfile=0x0, 
ctx=0x80f4800, cur=0x8a5f500) at send.c:1051
  #8  0x080875c7 in mutt_pager (banner=0x0, fname=0xbfbfce70 "", flags=66, 
extra=0xbfbfce70) at pager.c:2473
  #9  0x08057288 in mutt_display_message (cur=0x8a5f500) at commands.c:211
  #10 0x08060e8b in mutt_index_menu () at curs_main.c:1173
  #11 0x080787c2 in main (argc=1, argv=0xbfbfe6dc) at main.c:980
  (gdb) print s
  $1 = 0x100 <Address 0x100 out of bounds>
  (gdb) print scratch
  $2 = 0x0

I replaced the binary with a hotfix one so that the output isn't reallyas with the crashing binary. However, in both cases scratch is 0x0 whichseems to make strlen() crash.

My hotfix for now to able to send mail at all is to use mutt_strlen()instead since mutt_format_strings() seems to aceept 0x0 (andspecifically 0 length input string) safely. Maybe we should also addstrlen() to check_sec.sh?

I can reproduce it 100% with the SMTP patch trying to bring upthe SSL key menu though I don't know yet why some input string is "".

Also, this only affects latest CVS with the multibyte fix that now usesa scratch buffer as input instead of the given input itself, i.e.safe_strdup("")==NULL.


Any thoughts?

  bye, Rocco
--
:wq!

Follow-Ups:
- Re: Crash in menu.c
  - From: Thomas Roessler

Prev by Date: [2007-01-04] CVS repository changes
Next by Date: [patch] make headers wrap at wrapmargin rather than hardcoded value
Previous by thread: [2007-01-04] CVS repository changes
Next by thread: Re: Crash in menu.c
Index(es):
- Date
- Thread