Re: [Mutt] #2790: re-executing a "too long" 'color body ...' cmd

[Mutt <fleas@xxxxxxxxxxxx>]

#2790: re-executing a "too long" 'color body ...' cmd causes segv crash after a
while

Changes (by brendan):

  * priority:  critical => major

Old description:

> {{{
> When a "color body ..." cmd, which fails because it's too long
> (color.c:518),
> is executed several times, crashes mutt eventually.
> Seems the bad/ too long case is not caught/ aborted properly
> but leaves bad pointers around.
>
> Here the backtrace:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0xfeec251c in realfree () from /usr/lib/libc.so.1
> (gdb) backtrace
> #0  0xfeec251c in realfree () from /usr/lib/libc.so.1
> #1  0xfeec2e28 in cleanfree () from /usr/lib/libc.so.1
> #2  0xfeec1f5c in _malloc_unlocked () from /usr/lib/libc.so.1
> #3  0xfeec1e50 in malloc () from /usr/lib/libc.so.1
> #4  0xfeee8aec in __regexec_C () from /usr/lib/libc.so.1
> #5  0x5cefc in patmatch (pat=0x115cf0, buf=0x11ed18 "Content-Type:
> text/plain;\n") at pattern.c:720
> #6  0x5c0c4 in msg_search (ctx=0x101a68, pat=0x115cf0, msgno=1174808) at
> pattern.c:244
> #7  0x5de6c in mutt_pattern_exec (pat=0x115cf0,
> flags=M_MATCH_FULL_ADDRESS, ctx=0x101a68, h=0x11e7d0) at pattern.c:1140
> #8  0x345b0 in mutt_set_header_color (ctx=0x101a68, curhdr=0x11e7d0) at
> curs_main.c:2195
> #9  0x2fb54 in index_color (index_no=0) at curs_main.c:182
> #10 0x4b920 in menu_redraw_index (menu=0x1168a0) at menu.c:243
> #11 0x306f0 in mutt_index_menu () at curs_main.c:551
> #12 0x48a24 in main (argc=4, argv=0xffbef3c4) at main.c:963
> >How-To-Repeat:
> folder-hook . 'color body "STRING WHICH IS LONGER THAN buf SIZE AND HAS
> OPEN ( WITHIN buf SIZE BUT NOT CLOSED )"'
> # so that the color cmd fails -> beep on error beeps each time.
>
> String size depends on color.c:518, change
>    char buf[LONG_STRING];
> to
>    char buf[SHORT_STRING];
> to reach the limit easier.
>
> Now change folder many times, takes quite a few, but then crash. Here
> ~20-30 times.
> >Fix:
> }}}

New description:

 When a "color body ..." cmd, which fails because it's too long
 (color.c:518),
 is executed several times, crashes mutt eventually.
 Seems the bad/ too long case is not caught/ aborted properly
 but leaves bad pointers around.

 Here the backtrace:
 {{{
 Program received signal SIGSEGV, Segmentation fault.
 0xfeec251c in realfree () from /usr/lib/libc.so.1
 (gdb) backtrace
 #0  0xfeec251c in realfree () from /usr/lib/libc.so.1
 #1  0xfeec2e28 in cleanfree () from /usr/lib/libc.so.1
 #2  0xfeec1f5c in _malloc_unlocked () from /usr/lib/libc.so.1
 #3  0xfeec1e50 in malloc () from /usr/lib/libc.so.1
 #4  0xfeee8aec in __regexec_C () from /usr/lib/libc.so.1
 #5  0x5cefc in patmatch (pat=0x115cf0, buf=0x11ed18 "Content-Type:
 text/plain;\n") at pattern.c:720
 #6  0x5c0c4 in msg_search (ctx=0x101a68, pat=0x115cf0, msgno=1174808) at
 pattern.c:244
 #7  0x5de6c in mutt_pattern_exec (pat=0x115cf0,
 flags=M_MATCH_FULL_ADDRESS, ctx=0x101a68, h=0x11e7d0) at pattern.c:1140
 #8  0x345b0 in mutt_set_header_color (ctx=0x101a68, curhdr=0x11e7d0) at
 curs_main.c:2195
 #9  0x2fb54 in index_color (index_no=0) at curs_main.c:182
 #10 0x4b920 in menu_redraw_index (menu=0x1168a0) at menu.c:243
 #11 0x306f0 in mutt_index_menu () at curs_main.c:551
 #12 0x48a24 in main (argc=4, argv=0xffbef3c4) at main.c:963
 }}}
 >How-To-Repeat:
 folder-hook . 'color body "STRING WHICH IS LONGER THAN buf SIZE AND HAS
 OPEN ( WITHIN buf SIZE BUT NOT CLOSED )"'
 # so that the color cmd fails -> beep on error beeps each time.
 String size depends on color.c:518, change
    char buf[LONG_STRING];
 to
    char buf[SHORT_STRING];
 to reach the limit easier.

 Now change folder many times, takes quite a few, but then crash. Here
 ~20-30 times.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2790#comment:3>