<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #2927: Segfault on startup when muttrc spam setting used %1 but the regex specifies no subexpressions



#2927: Segfault on startup when muttrc spam setting used %1 but the regex
specifies no subexpressions

 I made a mistake adding a spam setting in my muttrc which caused mutt to
 segfault on start up.  You should be able to see it with the following
 lines in your muttrc:

 {{{
 spam "X-Spam-Score: [[:digit:].]"       "%1"
 set sort=threads
 set sort_aux=spam
 }}}

 If I correct the first line as follows there's no problem....

 {{{
 spam "X-Spam-Score: ([[:digit:].]+)"       "%1"
 }}}

 Here's a stack trace from gdb from just before the crash (it blows up my
 stack so one when it faults isn't much good).  This is using mutt 1.5.16.

 {{{
 #0  compare_spam (a=0x28e10e38, b=0x28e10e98) at sort.c:189
 #1  0x01895bf4 in compare_threads (a=0x27778010, b=0x2777801c) at
 thread.c:576
 #2  0x2943c200 in qsort (aa=0x28e10e38, n=8, es=4, cmp=0x1895b8c
 <compare_threads>)
     at /usr/src/lib/libc/stdlib/qsort.c:78
 #3  0x01895e84 in mutt_sort_subthreads (thread=0x0, init=1) at
 thread.c:650
 #4  0x01896c7c in mutt_sort_threads (ctx=0x279e8680, init=1) at
 thread.c:964
 #5  0x01892b18 in mutt_sort_headers (ctx=0x279e8680, init=1) at sort.c:297
 #6  0x0185bad0 in mx_open_mailbox (path=0xffff6268 "/var/mail/smallm",
 flags=0,
     pctx=0x0) at mx.c:720
 #7  0x0184daa8 in main (argc=0, argv=0x0) at main.c:986
 }}}

 At the crash (strtod was passed NULL)...

 {{{
 #0  strtod (s00=0x0, se=0xfffc9b18) at ctype.h:139
 139     {
 (gdb) bt
 #0  strtod (s00=0x0, se=0xfffc9b18) at ctype.h:139
 #1  0x258f4ff8 in strtod (s00=0x0, se=0xfffc9b18)
 ... (a screwed up stack, all strtod) ...
 #10 0x258f4ff8 in strtod (s00=0x0, se=0xfffc9b18)
     at /usr/src/lib/libc/stdlib/strtod.c:1209
 Previous frame inner to this frame (corrupt stack?)
 }}}

 Looking at mutt_read_rfc822_header() in parse.c it appears
 that a the call to mutt_match_spam_list returns true, but
 at the same time sets buf to "". This causes the spam member
 of the envelope structure to be initialized like so...

  e->spam = mutt_buffer_from(NULL, "");

 mutt_buffer_from uses safe_strdup which sets the data member
 of the buffer struct to NULL.  Later on when the messages
 are sorted it's that NULL data member that compare_spam()
 passes to strtod causing the crash.  The guard condition
 at the top of compare_spam() does not look into the spam buffer
 to see if it has actual data, it only checks that the spam
 pointer itself is non-null.   Here's a patch which
 avoids the seg-fault by adding to that guard condition.  It
 avoids the crash for me.

 {{{
 --- sort.c.orig Fri Jun 29 17:38:09 2007
 +++ sort.c      Fri Jun 29 17:42:23 2007
 @@ -166,8 +166,8 @@ int compare_spam (const void *a, const v

    /* Firstly, require spam attributes for both msgs */
    /* to compare. Determine which msgs have one.     */
 -  ahas = (*ppa)->env && (*ppa)->env->spam;
 -  bhas = (*ppb)->env && (*ppb)->env->spam;
 +  ahas = (*ppa)->env && (*ppa)->env->spam && (*ppa)->env->spam->dsize >
 0;
 +  bhas = (*ppb)->env && (*ppb)->env->spam && (*ppb)->env->spam->dsize >
 0;

    /* If one msg has spam attr but other does not, sort the one with
 first. */
    if (ahas && !bhas)
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2927>