[Mutt] #3371: Crashes viewing email with long lines of ANSI escape sequences
#3371: Crashes viewing email with long lines of ANSI escape sequences
------------------------------+---------------------------------------------
Reporter: antonio@â | Owner: mutt-dev
Type: defect | Status: new
Priority: trivial | Milestone:
Component: mutt | Version: 1.5.20
Keywords: patch |
------------------------------+---------------------------------------------
Forwarding from http://bugs.debian.org/553321
----
Viewing the attached crash.mbox causes mutt to segfault, the segfault is
not reproducible everywhere, it depends on the size of the terminal.
To reproduce:
{{{
xterm -geom 99x34
mutt -F /dev/null -f crash.mbox
}}}
(view the message, it will cause the segfault)
The crash itself is caused by free(), when glibc checks the consistency of
prev_size in the heap, in this case the prev_size of a segment (*buf) was
overwritten by a buffer overrun in *q; the buffer overrun is caused by
fill_buffer() because the function overwrites *(q-1) without checking if
that location is out of the boundaries.
The attached patch fixes the problem
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3371>
Mutt <http://www.mutt.org/>
The Mutt mail user agent