GNOME Bugzilla – Bug 348742
Crashed displaying attached email
Last modified: 2017-07-30 16:01:49 UTC
Steps to reproduce: Note that image loading is inhibited. 1. Click on right side of header 2. Press page down repeatedly until message stays at bottom. (It jumps back to the top once.) 3. Press page up repeatedly until message hits top and stays. (It jumps back to the bottom once.) Crash. Message moves in several steps to bottom, back to top in one step, down to bottom again in several steps. Then page up moves to top in several steps, back to bottom in one step, back up to top in several steps, crashing at top. Stack trace: see attachment Other information: see attachment
Created attachment 69640 [details] annotated stack trace from gdb This shows the proximate cause of the crash, offset < slave->posStart in htmltext.c html_text_get_cursor_base
Created attachment 69641 [details] The additional comments box that was too long to submit with the bug. Includes the email which demonstrates the problem.
what kind of email is that? HTML, plain text? does it include animated GIF images? can you remove any confidential data and attach it here? for future reference, please file mailer bugs under component mailer. thanks. :-)
Created attachment 69672 [details] Another copy of the email that causes crash This file contains nothing but the email. Importing it as an mbox into evolution recreates the problem on FC4 evolution-2.2.3-4.fc4.
Imported mail attached here into inbox in Evolution 2.6.2. Evolution did not crash. Archimedes: Could you verify in latest stable evolution release 2.6.3 ?
Archimedes: Still an issue with Evolution 2.8?
This is a bug in gtkhtml-3.6.2/src/htmltext.c and should be moved to that project. Sorry, I don't know how to do that. Sorry I missed the previous email -- I have too many mailing lists coming into inbox. --------- The bottom line: unless changes have been made in the functions mentioned in the annotated stack trace at http://bugzilla.gnome.org/attachment.cgi?id=69640 , I really belive that this bug should stay open. The fix suggested in the second attachment http://bugzilla.gnome.org/attachment.cgi?id=69641 should be applied. Hmm, I see the source file is /usr/src/debug/gtkhtml-3.6.2/src/htmltext.c so maybe this bug should be moved to gtkhtml. The test case no longer works because of changes on the web, but I think there is enough information in the stack trace (which includes manually displayed memory areas as well) to find the bug. The problem was probably some coding error in the files read off the web, but evolution should be bullet-proof enough not to crash as a result. ------------- Note that I tested the email in the attachment and it did crash even though I removed the identifying information to avoid blowing archimerged's cover. Unfortunately, this email no longer causes FC4 evolution-2.2.3-4.fc4 to crash. Looking at the email source, I see that it calls in some images from the web. http://imglinks.industrybrains.com/imgct?sid=42&ct=ZIFF_DAVIS_HTML_NEWSLETTER_TECH_DM&layt=1 displays in the web browser but shows up as a red X in a box in evolution-2.2.3-4.fc4. I think in that case the failure is a bug in the email source -- the ampersands are coded as "&" inside the img src="". More likely the problem might be the image with img src= this link, which also shows up as a red X: http://imageads.googleadservices.com/pagead/ads?output=png&format=400x420_abgnc_img&client=ca-ziffdavis_newsletters_400x420&channel=eweek-1&hl=en&backfill=1&cuid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx In this case, the img src="" is coded correctly with ampersnads coded as "&". This image also displays ok in Firefox 1.5.x. The failure to crash might also be caused by some other change in something loaded from the web. I should have saved copies of all such files, but I didn't realize the email wasn't self-contained.
Created attachment 88835 [details] [review] Patch to avoid this crash This is a denial of service attack. Send the victim this email, and if he opens it, evolution crashes forevermore until he deletes his inbox or edits it to remove the message. The patch is clearly harmless if html_text_get_cursor_base is called with valid arguments. (I think it did depend on some website as well which might not still be there, but it doesn't matter if you can't reproduce this: adding some bulletproofing doesn't hurt.)
Archimerged, 3.6 version of gtkhtml is not supported any more and you may not get any release for that. If you are using fedora, you may ask fedora maintainers to make a package for 3.6 with the patch. The current supported stable version is 3.14 and the development series is 3.15.x Im not able to reproduce the crash in head version at all.
This ticket has not seen any updates or duplicates since 2010. Is this still a problem in a recently released version? If not, this ticket might get closed as obsolete. (Furthermore, GtkHtml is slowly getting superseded by WebKit in Evolution.)
GtkHtml is not under active development anymore. Evolution (its main consumer) switched to a WebKit backend a while ago. It is currently unlikely that there will be any further GtkHtml development. Closing this report as WONTFIX as part of Bugzilla Housekeeping (bug 778387) to reflect reality. Please feel free to reopen this bug report in the future if anyone takes the responsibility for active development again.