<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #3226: segfault in imap_sync_mailbox



#3226: segfault in imap_sync_mailbox
-------------------------------+--------------------------------------------
  Reporter:  antonio@xxxxxxxx  |       Owner:  brendan 
      Type:  defect            |      Status:  accepted
  Priority:  minor             |   Milestone:  1.6     
 Component:  IMAP              |     Version:  1.5.18  
Resolution:                    |    Keywords:          
-------------------------------+--------------------------------------------

Old description:

> Forwarding from http://bugs.debian.org/516364
>
> ---
> From what I've seen the bug should be reproducible on 1.5.19 as well but
> I don't have the related core.
>
> What we see is a segmentation fault and the core has the following
> backtrace:
>
> {{{
> #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
> index_hint=0xbf9167a0) at ../../imap/imap.c:1124
> 1124    ../../imap/imap.c: No such file or directory.
>         in ../../imap/imap.c
> (gdb) bt
> #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
> index_hint=0xbf9167a0) at ../../imap/imap.c:1124
> #1  0x0808e6c9 in mx_close_mailbox (ctx=0xa6ed1b8, index_hint=0xbf9167a0)
> at ../mx.c:1053
> #2  0x08065247 in mutt_index_menu () at ../curs_main.c:1143
> #3  0x08082118 in main (argc=1, argv=0xbf9171c4) at ../main.c:1005
> (gdb) print idata
> $1 = (IMAP_DATA *) 0x9f1f8a8
> (gdb) print expunge
> $2 = 1
> (gdb) print idata->ctx
> $3 = (CONTEXT *) 0x0
> (gdb)
>
> }}}
>
> see the code from imap.c:
>
> {{{
> 1114   /* This function is only called when the calling code expects the
> context
> 1115    * to be changed. */
> 1116   imap_allow_reopen (ctx);
> 1117
> 1118   if ((rc = imap_check_mailbox (ctx, index_hint, 0)) != 0)
> 1119     return rc;
> 1120
> 1121   memset (&cmd, 0, sizeof (cmd));
> 1122
> 1123   /* if we are expunging anyway, we can do deleted messages very
> quickly... */
> 1124   if (expunge && mutt_bit_isset (idata->ctx->rights, M_ACL_DELETE))
> 1125   {
> }}}
>
> Line 1124 causes the segfault because idata->ctx is null and cannot be
> dereferenced. The proposed patch will change that line to:
>
> {{{
> if (expunge && idata->ctx && mutt_bit_isset (idata->ctx->rights,
> M_ACL_DELETE))
> }}}
>
> I don't know why idata->ctx becomes null and it probably requires some
> more investigation; the corefile is available from the original debian
> bug

New description:

 Forwarding from http://bugs.debian.org/516364

 ---
 From what I've seen the bug should be reproducible on 1.5.19 as well but I
 don't have the related core.

 What we see is a segmentation fault and the core has the following
 backtrace:

 {{{
 #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
 index_hint=0xbf9167a0) at ../../imap/imap.c:1124
 1124    ../../imap/imap.c: No such file or directory.
         in ../../imap/imap.c
 (gdb) bt
 #0  0x080dbb04 in imap_sync_mailbox (ctx=0xa6ed1b8, expunge=1,
 index_hint=0xbf9167a0) at ../../imap/imap.c:1124
 #1  0x0808e6c9 in mx_close_mailbox (ctx=0xa6ed1b8, index_hint=0xbf9167a0)
 at ../mx.c:1053
 #2  0x08065247 in mutt_index_menu () at ../curs_main.c:1143
 #3  0x08082118 in main (argc=1, argv=0xbf9171c4) at ../main.c:1005
 (gdb) print idata
 $1 = (IMAP_DATA *) 0x9f1f8a8
 (gdb) print expunge
 $2 = 1
 (gdb) print idata->ctx
 $3 = (CONTEXT *) 0x0
 (gdb)

 }}}

 see the code from imap.c:

 {{{
 1114   /* This function is only called when the calling code expects the
 context
 1115    * to be changed. */
 1116   imap_allow_reopen (ctx);
 1117
 1118   if ((rc = imap_check_mailbox (ctx, index_hint, 0)) != 0)
 1119     return rc;
 1120
 1121   memset (&cmd, 0, sizeof (cmd));
 1122
 1123   /* if we are expunging anyway, we can do deleted messages very
 quickly... */
 1124   if (expunge && mutt_bit_isset (idata->ctx->rights, M_ACL_DELETE))
 1125   {
 }}}

 Line 1124 causes the segfault because idata->ctx is null and cannot be
 dereferenced. The proposed patch will change that line to:

 {{{
 if (expunge && idata->ctx && mutt_bit_isset (idata->ctx->rights,
 M_ACL_DELETE))
 }}}

 I don't know why idata->ctx becomes null and it probably requires some
 more investigation; the corefile is available from the original debian bug

--

Comment(by brendan):

 Mysterious. The only thing that sets idata->ctx to NULL is
 imap_close_mailbox, which is only called by mx_fastclose_mailbox, which
 always nulls out context itself after it finishes. ctx->data only gets a
 valid idata in imap_open_mailbox and imap_open_mailbox_append, and in
 imap_open_mailbox idata->ctx is immediately set to point back to ctx.
 Something must be happening with imap_open_mailbox_append, but I can't see
 what. I'll push a voodoo patch (not this one) anyway.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3226#comment:>
Mutt <http://www.mutt.org/>
The Mutt mail user agent