<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #3041: imap fetch segfault

#3041: imap fetch segfault

Comment (by brendan):

 558           if (h && h->active && h->index+1 == msgno)

 Hmm, h must be neither NULL nor a valid header. That is certainly
 troubling. Usually the header array is preallocated and zeroed before
 headers are fetched into it, but there may be some lazy allocation in the
 read_headers function when a mailbox is first opened that is getting
 tripped up on this.

 You are right that the code should be refactored and shared instead of
 duplicated. The current situation is a result of the somewhat lazy way the
 original author of the header cache added IMAP support (which is improving
 over time, but slowly).

 I think you may also be right that a malicious server could cause a buffer
 overflow by using a too-large SID. This should be checked as soon as
 possible!

 But I don't think that temporary NULL pointers in ctx->hdrs should
 generally be a problem. As you report, the arrival of flag updates BEFORE
 any header information at all has been supplied is probably the culprit -
 flag updates are handled in cmd outside of the header fetching code.

 The proper, but somewhat large, fix would be to move header parsing into
 cmd too. But I'm sure we can come up with a simpler, uglier band-aid :)

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3041#comment:2>