[Mutt] #3226: segfault in imap_sync_mailbox

To: antonio@xxxxxxxx, brendan@xxxxxxxxxx
Subject: [Mutt] #3226: segfault in imap_sync_mailbox
From: Mutt <fleas@xxxxxxxx>
Date: Wed, 13 May 2009 22:50:17 -0000
Auto-submitted: auto-generated
Cc: mutt-dev@xxxxxxxx, 528465@xxxxxxxxxxxxxxx
List-post: <mailto:mutt-dev@mutt.org>
List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-dev"
Mail-followup-to: fleas@xxxxxxxx
Reply-to: fleas@xxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

#3226: segfault in imap_sync_mailbox
------------------------------+---------------------------------------------
 Reporter:  antonio@xxxxxxxx  |       Owner:  brendan
     Type:  defect            |      Status:  new    
 Priority:  minor             |   Milestone:         
Component:  IMAP              |     Version:  1.5.18 
 Keywords:                    |  
------------------------------+---------------------------------------------
 Forwarding from http://bugs.debian.org/516364

 ---
 From what I've seen the bug should be reproducible on 1.5.19 as well but I
 don't have the related core.

 What we see is a segmentation fault and the core has the following
 backtrace:

 {{{
 #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
 index_hint=0xbf9167a0) at ../../imap/imap.c:1124
 1124    ../../imap/imap.c: No such file or directory.
         in ../../imap/imap.c
 (gdb) bt
 #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
 index_hint=0xbf9167a0) at ../../imap/imap.c:1124
 #1  0x0808e6c9 in mx_close_mailbox (ctx=0xa6ed1b8, index_hint=0xbf9167a0)
 at ../mx.c:1053
 #2  0x08065247 in mutt_index_menu () at ../curs_main.c:1143
 #3  0x08082118 in main (argc=1, argv=0xbf9171c4) at ../main.c:1005
 (gdb) print idata
 $1 = (IMAP_DATA *) 0x9f1f8a8
 (gdb) print expunge
 $2 = 1
 (gdb) print idata->ctx
 $3 = (CONTEXT *) 0x0
 (gdb)

 }}}

 see the code from imap.c:

 {{{
 1114   /* This function is only called when the calling code expects the
 context
 1115    * to be changed. */
 1116   imap_allow_reopen (ctx);
 1117
 1118   if ((rc = imap_check_mailbox (ctx, index_hint, 0)) != 0)
 1119     return rc;
 1120
 1121   memset (&cmd, 0, sizeof (cmd));
 1122
 1123   /* if we are expunging anyway, we can do deleted messages very
 quickly... */
 1124   if (expunge && mutt_bit_isset (idata->ctx->rights, M_ACL_DELETE))
 1125   {
 }}}

 Line 1124 causes the segfault because idata->ctx is null and cannot be
 dereferenced. The proposed patch will change that line to:

 {{{
 if (expunge && idata->ctx && mutt_bit_isset (idata->ctx->rights,
 M_ACL_DELETE))
 }}}

 I don't know why idata->ctx becomes null and it probably requires some
 more investigation; the corefile is available from the original debian bug

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3226>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

Follow-Ups:
- Re: [Mutt] #3226: segfault in imap_sync_mailbox
  - From: Mutt
- Re: [Mutt] #3226: segfault in imap_sync_mailbox
  - From: Mutt
- Re: [Mutt] #3226: segfault in imap_sync_mailbox
  - From: Mutt
- Re: [Mutt] #3226: segfault in imap_sync_mailbox
  - From: Mutt

Prev by Date: Re: [Mutt] #3225: new mail notifications are lost too easily
Next by Date: Re: [Mutt] #3226: segfault in imap_sync_mailbox
Previous by thread: Re: [Mutt] #3225: new mail notifications are lost too easily
Next by thread: Re: [Mutt] #3226: segfault in imap_sync_mailbox
Index(es):
- Date
- Thread