Re: [Mutt] #3226: segfault in imap_sync_mailbox
#3226: segfault in imap_sync_mailbox
-------------------------------+--------------------------------------------
Reporter: antonio@xxxxxxxx | Owner: brendan
Type: defect | Status: accepted
Priority: minor | Milestone: 1.6
Component: IMAP | Version: 1.5.18
Resolution: | Keywords:
-------------------------------+--------------------------------------------
Old description:
> Forwarding from http://bugs.debian.org/516364
>
> ---
> From what I've seen the bug should be reproducible on 1.5.19 as well but
> I don't have the related core.
>
> What we see is a segmentation fault and the core has the following
> backtrace:
>
> {{{
> #0 0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
> index_hint=0xbf9167a0) at ../../imap/imap.c:1124
> 1124 ../../imap/imap.c: No such file or directory.
> in ../../imap/imap.c
> (gdb) bt
> #0 0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
> index_hint=0xbf9167a0) at ../../imap/imap.c:1124
> #1 0x0808e6c9 in mx_close_mailbox (ctx=0xa6ed1b8, index_hint=0xbf9167a0)
> at ../mx.c:1053
> #2 0x08065247 in mutt_index_menu () at ../curs_main.c:1143
> #3 0x08082118 in main (argc=1, argv=0xbf9171c4) at ../main.c:1005
> (gdb) print idata
> $1 = (IMAP_DATA *) 0x9f1f8a8
> (gdb) print expunge
> $2 = 1
> (gdb) print idata->ctx
> $3 = (CONTEXT *) 0x0
> (gdb)
>
> }}}
>
> see the code from imap.c:
>
> {{{
> 1114 /* This function is only called when the calling code expects the
> context
> 1115 * to be changed. */
> 1116 imap_allow_reopen (ctx);
> 1117
> 1118 if ((rc = imap_check_mailbox (ctx, index_hint, 0)) != 0)
> 1119 return rc;
> 1120
> 1121 memset (&cmd, 0, sizeof (cmd));
> 1122
> 1123 /* if we are expunging anyway, we can do deleted messages very
> quickly... */
> 1124 if (expunge && mutt_bit_isset (idata->ctx->rights, M_ACL_DELETE))
> 1125 {
> }}}
>
> Line 1124 causes the segfault because idata->ctx is null and cannot be
> dereferenced. The proposed patch will change that line to:
>
> {{{
> if (expunge && idata->ctx && mutt_bit_isset (idata->ctx->rights,
> M_ACL_DELETE))
> }}}
>
> I don't know why idata->ctx becomes null and it probably requires some
> more investigation; the corefile is available from the original debian
> bug
New description:
Forwarding from http://bugs.debian.org/516364
---
From what I've seen the bug should be reproducible on 1.5.19 as well but I
don't have the related core.
What we see is a segmentation fault and the core has the following
backtrace:
{{{
#0 0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
index_hint=0xbf9167a0) at ../../imap/imap.c:1124
1124 ../../imap/imap.c: No such file or directory.
in ../../imap/imap.c
(gdb) bt
#0 0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
index_hint=0xbf9167a0) at ../../imap/imap.c:1124
#1 0x0808e6c9 in mx_close_mailbox (ctx=0xa6ed1b8, index_hint=0xbf9167a0)
at ../mx.c:1053
#2 0x08065247 in mutt_index_menu () at ../curs_main.c:1143
#3 0x08082118 in main (argc=1, argv=0xbf9171c4) at ../main.c:1005
(gdb) print idata
$1 = (IMAP_DATA *) 0x9f1f8a8
(gdb) print expunge
$2 = 1
(gdb) print idata->ctx
$3 = (CONTEXT *) 0x0
(gdb)
}}}
see the code from imap.c:
{{{
1114 /* This function is only called when the calling code expects the
context
1115 * to be changed. */
1116 imap_allow_reopen (ctx);
1117
1118 if ((rc = imap_check_mailbox (ctx, index_hint, 0)) != 0)
1119 return rc;
1120
1121 memset (&cmd, 0, sizeof (cmd));
1122
1123 /* if we are expunging anyway, we can do deleted messages very
quickly... */
1124 if (expunge && mutt_bit_isset (idata->ctx->rights, M_ACL_DELETE))
1125 {
}}}
Line 1124 causes the segfault because idata->ctx is null and cannot be
dereferenced. The proposed patch will change that line to:
{{{
if (expunge && idata->ctx && mutt_bit_isset (idata->ctx->rights,
M_ACL_DELETE))
}}}
I don't know why idata->ctx becomes null and it probably requires some
more investigation; the corefile is available from the original debian bug
--
Comment(by brendan):
Mysterious. The only thing that sets idata->ctx to NULL is
imap_close_mailbox, which is only called by mx_fastclose_mailbox, which
always nulls out context itself after it finishes. ctx->data only gets a
valid idata in imap_open_mailbox and imap_open_mailbox_append, and in
imap_open_mailbox idata->ctx is immediately set to point back to ctx.
Something must be happening with imap_open_mailbox_append, but I can't see
what. I'll push a voodoo patch (not this one) anyway.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3226#comment:>
Mutt <http://www.mutt.org/>
The Mutt mail user agent