Re: [Mutt] #3041: imap fetch segfault
#3041: imap fetch segfault
Comment (by brendan):
558 if (h && h->active && h->index+1 == msgno)
Hmm, h must be neither NULL nor a valid header. That is certainly
troubling. Usually the header array is preallocated and zeroed before
headers are fetched into it, but there may be some lazy allocation in the
read_headers function when a mailbox is first opened that is getting
tripped up on this.
You are right that the code should be refactored and shared instead of
duplicated. The current situation is a result of the somewhat lazy way the
original author of the header cache added IMAP support (which is improving
over time, but slowly).
I think you may also be right that a malicious server could cause a buffer
overflow by using a too-large SID. This should be checked as soon as
possible!
But I don't think that temporary NULL pointers in ctx->hdrs should
generally be a problem. As you report, the arrival of flag updates BEFORE
any header information at all has been supplied is probably the culprit -
flag updates are handled in cmd outside of the header fetching code.
The proper, but somewhat large, fix would be to move header parsing into
cmd too. But I'm sure we can come up with a simpler, uglier band-aid :)
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3041#comment:2>