Re: [Mutt] #3041: imap fetch segfault

To: mutt@xxxxxxxxxxx, brendan@xxxxxxxxxx
Subject: Re: [Mutt] #3041: imap fetch segfault
From: Mutt <fleas@xxxxxxxx>
Date: Fri, 21 Mar 2008 02:18:53 -0000
Cc: mutt-dev@xxxxxxxx
In-reply-to: <038.a8e8cc207f795224b71fe34527a7388c@xxxxxxxx>
List-post: <mailto:mutt-dev@mutt.org>
List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-dev"
Mail-followup-to: fleas@xxxxxxxx
References: <038.a8e8cc207f795224b71fe34527a7388c@xxxxxxxx>
Reply-to: fleas@xxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

#3041: imap fetch segfault

Comment (by chrisl):

 OK, I have the full socket data logging so I can actually replay the imap
 traffic
 and generate the core dump reliably.

 I did more The bug is due to the fact that, in

 ctx->msgcount ++;

 It does not take into account that it can be bigger than ctx->hdrmax,
 due to the unexpected * 14124 fetch. So the msgcount go over hdrmax.
 Later in imap_cmd_step it blow up when it try to read beyond the
 allocated memory, thanks to the inflated msgcount.

 So there is two things need to fix. It need to make sure both idx and
 msgcount stay below hdrmax. Otherwise bad things happens.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3041#comment:3>

References:
- [Mutt] #3041: imap fetch segfault
  - From: Mutt

Prev by Date: [PATCH] Lacking strtok_r
Next by Date: Re: [Mutt] #3040: charset difference between index browser and
Previous by thread: Re: [Mutt] #3041: imap fetch segfault
Next by thread: Re: [Mutt] #3041: imap fetch segfault
Index(es):
- Date
- Thread