imap/2676: mutt + imap header results in a NULL pointer dereference crash
>Number: 2676
>Notify-List: mail@xxxxxxx
>Category: imap
>Synopsis: mutt + imap header results in a NULL pointer dereference crash
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jan 10 06:47:49 +0100 2007
>Originator: Rink Springer
>Release: 1.5.13
>Organization:
>Environment:
FreeBSD thunderstone.rink.nu 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #1: Sat Dec
9 16:40:05 CET 2006
root@xxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/THUNDERSTONE i386
>Description:
Whenever I try to check my employer's mail (via IMAP+TLS),
I use IMAP header-caching. However, mutt crashes on this particular mailbox.
gdb(1) gives:
Fetching message headers... [402/402]
Program received signal SIGSEGV, Segmentation fault.
0x080927df in mx_update_context (ctx=0x8121900, new_messages=402) at
mx.c:1618
1618 h->security = crypt_query (h->content);
(gdb) inspect h
$1 = (HEADER *) 0x0
(gdb) inspect ctx->hdrs[399]
$3 = (HEADER *) 0x81c4d80
(gdb) inspect ctx->hdrs[400]
$4 = (HEADER *) 0x0
(gdb) inspect ctx->hdrs[401]
$5 = (HEADER *) 0x8121980
(gdb) bt
#0 0x080927df in mx_update_context (ctx=0x8121900, new_messages=402)
at mx.c:1618
#1 0x080e2069 in imap_read_headers (idata=0x8117a00, msgbegin=401,
msgend=401)
at message.c:344
#2 0x080de706 in imap_open_mailbox (ctx=0x8121900) at imap.c:737
#3 0x080908e2 in mx_open_mailbox (path=0xbfbfdc30
"imap://imap.qsp.nl/",
flags=0, pctx=0x0) at mx.c:719
#4 0x08067827 in mutt_index_menu () at curs_main.c:1129
#5 0x08085b2a in main (argc=1, argv=0xbfbfe884) at main.c:969
For some reason, message 400's headers point to a NULL pointer. However,
I can read the message using mutt without headercache (which is enabled
using --with-hcache in configure) just fine.
I have left the gdb(1) running; let me know if anything else needs to be
inspected
>How-To-Repeat:
Try to open my employer's IMAP mailbox, while IMAP header caching is enabled.
>Fix:
Disable headercaching (configuring with --with-hcache will do) solves the
problem.
>Add-To-Audit-Trail:
>Unformatted: