<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #3371: Crashes viewing email with long lines of ANSI escape sequences



#3371: Crashes viewing email with long lines of ANSI escape sequences
------------------------------+---------------------------------------------
 Reporter:  antonio@â         |       Owner:  mutt-dev
     Type:  defect            |      Status:  new     
 Priority:  trivial           |   Milestone:          
Component:  mutt              |     Version:  1.5.20  
 Keywords:  patch             |  
------------------------------+---------------------------------------------
 Forwarding from http://bugs.debian.org/553321
 ----
 Viewing the attached crash.mbox causes mutt to segfault, the segfault is
 not reproducible everywhere, it depends on the size of the terminal.

 To reproduce:
 {{{
 xterm -geom 99x34
 mutt -F /dev/null -f crash.mbox
 }}}

 (view the message, it will cause the segfault)

 The crash itself is caused by free(), when glibc checks the consistency of
 prev_size in the heap, in this case the prev_size of a segment (*buf) was
 overwritten by a buffer overrun in *q; the buffer overrun is caused by
 fill_buffer() because the function overwrites *(q-1) without checking if
 that location is out of the boundaries.

 The attached patch fixes the problem

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3371>
Mutt <http://www.mutt.org/>
The Mutt mail user agent