<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #2172: crashes (double free) when closing externally



#2172: crashes (double free) when closing externally modified mailbox

Changes (by brendan):

  * status:  new => closed
  * resolution:  => worksforme

Old description:

> {{{
> (This comes from Debian Bug#346073.)
>
> When quitting after a mailbox has been emptied by an external program,
> Mutt seems to issue a double free, and newer libc6 versions crash on
> this.
>
> The backtrace is:
>
> #0  0xffffe410 in __kernel_vsyscall ()
> #1  0xb7d63691 in raise () from /lib/tls/i686/cmov/libc.so.6
> #2  0xb7d64f5b in abort () from /lib/tls/i686/cmov/libc.so.6
> #3  0xb7d99ba7 in __libc_message () from /lib/tls/i686/cmov/libc.so.6
> #4  0xb7da0177 in _int_free () from /lib/tls/i686/cmov/libc.so.6
> #5  0xb7da0612 in free () from /lib/tls/i686/cmov/libc.so.6
> #6  0xb7d9099a in fclose@@GLIBC_2.1 () from /lib/tls/i686/cmov/libc.so.6
> #7  0x080afb9a in safe_fclose (f=0x8151e7c) at lib.c:203
> #8  0x080885cf in mx_fastclose_mailbox (ctx=0x8151e78) at mx.c:766
> #9  0x080819c8 in mbox_sync_mailbox (ctx=0x8151e78, index_hint=0x0) at
> mbox.c:934
> #10 0x080886c2 in sync_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00) at
> mx.c:785
> #11 0x0808a56c in mx_close_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00)
> at mx.c:1000
> #12 0x08067668 in mutt_index_menu () at curs_main.c:890
> #13 0x0807eede in main (argc=5, argv=0xbfd8c904) at main.c:960
>
> >How-To-Repeat:
> Open a mailbox with one unread message, eg. [1], on terminal 1, like:
>
> t1% mutt -nF /dev/null -f sample-mailbox
>
> Press intro; the message gets displayed.
>
> On terminal 2, empty the mailbox with:
>
> t2% echo -n >sample-mailbox
>
> On terminal 1 again, press 'q'; Mutt says "Mailbox was externally
> modified.  Flags may be wrong." Now press 'q' again:
>
> Writing messages... 0 (0%)
> *** glibc detected *** double free or corruption (!prev): 0x08153140 ***
> zsh: abort (core dumped)
>
> [1] http://people.debian.org/~adeodato/tmp/2006-01-30/sample-mailbox
> >Fix:
> }}}

New description:

 {{{
 (This comes from Debian Bug#346073.)

 When quitting after a mailbox has been emptied by an external program,
 Mutt seems to issue a double free, and newer libc6 versions crash on this.

 The backtrace is:

 #0  0xffffe410 in __kernel_vsyscall ()
 #1  0xb7d63691 in raise () from /lib/tls/i686/cmov/libc.so.6
 #2  0xb7d64f5b in abort () from /lib/tls/i686/cmov/libc.so.6
 #3  0xb7d99ba7 in __libc_message () from /lib/tls/i686/cmov/libc.so.6
 #4  0xb7da0177 in _int_free () from /lib/tls/i686/cmov/libc.so.6
 #5  0xb7da0612 in free () from /lib/tls/i686/cmov/libc.so.6
 #6  0xb7d9099a in fclose@@GLIBC_2.1 () from /lib/tls/i686/cmov/libc.so.6
 #7  0x080afb9a in safe_fclose (f=0x8151e7c) at lib.c:203
 #8  0x080885cf in mx_fastclose_mailbox (ctx=0x8151e78) at mx.c:766
 #9  0x080819c8 in mbox_sync_mailbox (ctx=0x8151e78, index_hint=0x0) at
 mbox.c:934
 #10 0x080886c2 in sync_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00) at
 mx.c:785
 #11 0x0808a56c in mx_close_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00)
 at mx.c:1000
 #12 0x08067668 in mutt_index_menu () at curs_main.c:890
 #13 0x0807eede in main (argc=5, argv=0xbfd8c904) at main.c:960

 >How-To-Repeat:
 Open a mailbox with one unread message, eg. [1], on terminal 1, like:

 t1% mutt -nF /dev/null -f sample-mailbox

 Press intro; the message gets displayed.

 On terminal 2, empty the mailbox with:

 t2% echo -n >sample-mailbox

 On terminal 1 again, press 'q'; Mutt says "Mailbox was externally
 modified.  Flags may be wrong." Now press 'q' again:

 Writing messages... 0 (0%)
 *** glibc detected *** double free or corruption (!prev): 0x08153140 ***
 zsh: abort (core dumped)

 [1] http://people.debian.org/~adeodato/tmp/2006-01-30/sample-mailbox
 >Fix:
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2172#comment:2>