[Mutt] #2927: Segfault on startup when muttrc spam setting used %1 but the regex specifies no subexpressions
#2927: Segfault on startup when muttrc spam setting used %1 but the regex
specifies no subexpressions
I made a mistake adding a spam setting in my muttrc which caused mutt to
segfault on start up. You should be able to see it with the following
lines in your muttrc:
{{{
spam "X-Spam-Score: [[:digit:].]" "%1"
set sort=threads
set sort_aux=spam
}}}
If I correct the first line as follows there's no problem....
{{{
spam "X-Spam-Score: ([[:digit:].]+)" "%1"
}}}
Here's a stack trace from gdb from just before the crash (it blows up my
stack so one when it faults isn't much good). This is using mutt 1.5.16.
{{{
#0 compare_spam (a=0x28e10e38, b=0x28e10e98) at sort.c:189
#1 0x01895bf4 in compare_threads (a=0x27778010, b=0x2777801c) at
thread.c:576
#2 0x2943c200 in qsort (aa=0x28e10e38, n=8, es=4, cmp=0x1895b8c
<compare_threads>)
at /usr/src/lib/libc/stdlib/qsort.c:78
#3 0x01895e84 in mutt_sort_subthreads (thread=0x0, init=1) at
thread.c:650
#4 0x01896c7c in mutt_sort_threads (ctx=0x279e8680, init=1) at
thread.c:964
#5 0x01892b18 in mutt_sort_headers (ctx=0x279e8680, init=1) at sort.c:297
#6 0x0185bad0 in mx_open_mailbox (path=0xffff6268 "/var/mail/smallm",
flags=0,
pctx=0x0) at mx.c:720
#7 0x0184daa8 in main (argc=0, argv=0x0) at main.c:986
}}}
At the crash (strtod was passed NULL)...
{{{
#0 strtod (s00=0x0, se=0xfffc9b18) at ctype.h:139
139 {
(gdb) bt
#0 strtod (s00=0x0, se=0xfffc9b18) at ctype.h:139
#1 0x258f4ff8 in strtod (s00=0x0, se=0xfffc9b18)
... (a screwed up stack, all strtod) ...
#10 0x258f4ff8 in strtod (s00=0x0, se=0xfffc9b18)
at /usr/src/lib/libc/stdlib/strtod.c:1209
Previous frame inner to this frame (corrupt stack?)
}}}
Looking at mutt_read_rfc822_header() in parse.c it appears
that a the call to mutt_match_spam_list returns true, but
at the same time sets buf to "". This causes the spam member
of the envelope structure to be initialized like so...
e->spam = mutt_buffer_from(NULL, "");
mutt_buffer_from uses safe_strdup which sets the data member
of the buffer struct to NULL. Later on when the messages
are sorted it's that NULL data member that compare_spam()
passes to strtod causing the crash. The guard condition
at the top of compare_spam() does not look into the spam buffer
to see if it has actual data, it only checks that the spam
pointer itself is non-null. Here's a patch which
avoids the seg-fault by adding to that guard condition. It
avoids the crash for me.
{{{
--- sort.c.orig Fri Jun 29 17:38:09 2007
+++ sort.c Fri Jun 29 17:42:23 2007
@@ -166,8 +166,8 @@ int compare_spam (const void *a, const v
/* Firstly, require spam attributes for both msgs */
/* to compare. Determine which msgs have one. */
- ahas = (*ppa)->env && (*ppa)->env->spam;
- bhas = (*ppb)->env && (*ppb)->env->spam;
+ ahas = (*ppa)->env && (*ppa)->env->spam && (*ppa)->env->spam->dsize >
0;
+ bhas = (*ppb)->env && (*ppb)->env->spam && (*ppb)->env->spam->dsize >
0;
/* If one msg has spam attr but other does not, sort the one with
first. */
if (ahas && !bhas)
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2927>