Re: [Mutt] #2790: re-executing a "too long" 'color body ...' cmd
#2790: re-executing a "too long" 'color body ...' cmd causes segv crash after a
while
Changes (by brendan):
* priority: critical => major
Old description:
> {{{
> When a "color body ..." cmd, which fails because it's too long
> (color.c:518),
> is executed several times, crashes mutt eventually.
> Seems the bad/ too long case is not caught/ aborted properly
> but leaves bad pointers around.
>
> Here the backtrace:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0xfeec251c in realfree () from /usr/lib/libc.so.1
> (gdb) backtrace
> #0 0xfeec251c in realfree () from /usr/lib/libc.so.1
> #1 0xfeec2e28 in cleanfree () from /usr/lib/libc.so.1
> #2 0xfeec1f5c in _malloc_unlocked () from /usr/lib/libc.so.1
> #3 0xfeec1e50 in malloc () from /usr/lib/libc.so.1
> #4 0xfeee8aec in __regexec_C () from /usr/lib/libc.so.1
> #5 0x5cefc in patmatch (pat=0x115cf0, buf=0x11ed18 "Content-Type:
> text/plain;\n") at pattern.c:720
> #6 0x5c0c4 in msg_search (ctx=0x101a68, pat=0x115cf0, msgno=1174808) at
> pattern.c:244
> #7 0x5de6c in mutt_pattern_exec (pat=0x115cf0,
> flags=M_MATCH_FULL_ADDRESS, ctx=0x101a68, h=0x11e7d0) at pattern.c:1140
> #8 0x345b0 in mutt_set_header_color (ctx=0x101a68, curhdr=0x11e7d0) at
> curs_main.c:2195
> #9 0x2fb54 in index_color (index_no=0) at curs_main.c:182
> #10 0x4b920 in menu_redraw_index (menu=0x1168a0) at menu.c:243
> #11 0x306f0 in mutt_index_menu () at curs_main.c:551
> #12 0x48a24 in main (argc=4, argv=0xffbef3c4) at main.c:963
> >How-To-Repeat:
> folder-hook . 'color body "STRING WHICH IS LONGER THAN buf SIZE AND HAS
> OPEN ( WITHIN buf SIZE BUT NOT CLOSED )"'
> # so that the color cmd fails -> beep on error beeps each time.
>
> String size depends on color.c:518, change
> char buf[LONG_STRING];
> to
> char buf[SHORT_STRING];
> to reach the limit easier.
>
> Now change folder many times, takes quite a few, but then crash. Here
> ~20-30 times.
> >Fix:
> }}}
New description:
When a "color body ..." cmd, which fails because it's too long
(color.c:518),
is executed several times, crashes mutt eventually.
Seems the bad/ too long case is not caught/ aborted properly
but leaves bad pointers around.
Here the backtrace:
{{{
Program received signal SIGSEGV, Segmentation fault.
0xfeec251c in realfree () from /usr/lib/libc.so.1
(gdb) backtrace
#0 0xfeec251c in realfree () from /usr/lib/libc.so.1
#1 0xfeec2e28 in cleanfree () from /usr/lib/libc.so.1
#2 0xfeec1f5c in _malloc_unlocked () from /usr/lib/libc.so.1
#3 0xfeec1e50 in malloc () from /usr/lib/libc.so.1
#4 0xfeee8aec in __regexec_C () from /usr/lib/libc.so.1
#5 0x5cefc in patmatch (pat=0x115cf0, buf=0x11ed18 "Content-Type:
text/plain;\n") at pattern.c:720
#6 0x5c0c4 in msg_search (ctx=0x101a68, pat=0x115cf0, msgno=1174808) at
pattern.c:244
#7 0x5de6c in mutt_pattern_exec (pat=0x115cf0,
flags=M_MATCH_FULL_ADDRESS, ctx=0x101a68, h=0x11e7d0) at pattern.c:1140
#8 0x345b0 in mutt_set_header_color (ctx=0x101a68, curhdr=0x11e7d0) at
curs_main.c:2195
#9 0x2fb54 in index_color (index_no=0) at curs_main.c:182
#10 0x4b920 in menu_redraw_index (menu=0x1168a0) at menu.c:243
#11 0x306f0 in mutt_index_menu () at curs_main.c:551
#12 0x48a24 in main (argc=4, argv=0xffbef3c4) at main.c:963
}}}
>How-To-Repeat:
folder-hook . 'color body "STRING WHICH IS LONGER THAN buf SIZE AND HAS
OPEN ( WITHIN buf SIZE BUT NOT CLOSED )"'
# so that the color cmd fails -> beep on error beeps each time.
String size depends on color.c:518, change
char buf[LONG_STRING];
to
char buf[SHORT_STRING];
to reach the limit easier.
Now change folder many times, takes quite a few, but then crash. Here
~20-30 times.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2790#comment:3>