GNOME Bugzilla – Bug 125051
Pan segfaults when reading a certain message
Last modified: 2004-12-22 21:47:04 UTC
Hi, A debian user reported the following to the Debian BTS: Pan segfaults when reading the message located here: http://article.gmane.org/gmane.linux.debian.devel.project/2317 The segfault also occurs when running pan from a newly created account. I'm attaching an bzipped archive with backtrace, strace and the output from pan --debug. Details are at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=216674
Confirmed. The full backtrace is:
+ Trace 41048
Created attachment 20828 [details] message causing the segfault
fejj: CC'ing you so you can glance over the message. Anything unusual about it? Anything that could mess up GMime's parser?
msg looks ok, or at least nothing obviously wrong with it is staring me in the face. might try syncing up with gmime's stream code from head tho, and maybe some other stuff? 2003-08-06 Jeffrey Stedfast <fejj@ximian.com> * gmime/gmime-multipart.c (g_mime_multipart_foreach): Simplified. * gmime/gmime-stream-cat.c (stream_read): Same here. (stream_write): And finally here. * gmime/gmime-stream-file.c (stream_read): Same. (stream_write): And again... * gmime/gmime-stream-fs.c (stream_read): Here too. (stream_write): And here. * gmime/gmime-stream-mmap.c (stream_read): Same as the mem stream. (stream_write): Same. * gmime/gmime-stream-mem.c (stream_read): Need to fix the MIN expresion so that both args are signed, otherwise 'len' will be the min if the 'bytes-left' calculation is negative. (stream_write): Same. the above commit may have something to do with the crash, but I'm not sure. if you can get a bt with debugging symbols, perhaps that'll help. would be especially useful to know what args are being passed to memcpy - might be that the src or dest buffers are NULL? or out of bounds?
*** Bug 126613 has been marked as a duplicate of this bug. ***
*** Bug 128877 has been marked as a duplicate of this bug. ***
*** Bug 131587 has been marked as a duplicate of this bug. ***
This is a follow-on to bug 131587 that I reported and is a duplicate of this bug. Jeffery's 2003-10-21 comment about syncing up with the latest gmime code provides a fix. The gmime fix WRT MIN is the problem (at least the problem with bug 131587). I had seen a negative number too in the bytes left caluclation, but didn't have time to fully debug it. But, grabbing the latest gmime/gmime-stream-mem.c (stream_read) function from the gmime project (included below) stops the crash. I had first looked at updating the whole gmime code, but it didn't link with pan (missing functions). BUT, for a fix for this problem, just replacing the pan's current gmime stream_read function with the lastest will compile, link, and run without the sigsegv. Recommend that if you cannot upgrade to latest gmime, that you at least update this function. Randy gmime/gmime-stream-mem.c: static ssize_t stream_read (GMimeStream *stream, char *buf, size_t len) { GMimeStreamMem *mem = (GMimeStreamMem *) stream; off_t bound_end; ssize_t n; g_return_val_if_fail (mem->buffer != NULL, -1); bound_end = stream->bound_end != -1 ? stream->bound_end : mem->buffer->len; n = MIN (bound_end - stream->position, (off_t) len); if (n > 0) { memcpy (buf, mem->buffer->data + stream->position, n); stream->position += n; } else if (n < 0) { /* set errno?? */ n = -1; } return n; }
Randy: many thanks for your investigation! Just in case we don't update GMime in 0.14.3, I've committed your fix to CVS: http://cvs.gnome.org/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=pan/gmime&command=DIFF_FRAMESET&file=gmime-stream-mem.c&rev1=1.6&rev2=1.7&root=/cvs/gnome http://cvs.gnome.org/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=pan&command=DIFF_FRAMESET&file=ChangeLog&rev1=1.2021&rev2=1.2022&root=/cvs/gnomehttp://cvs.gnome.org/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=pan&command=DIFF_FRAMESET&file=ChangeLog&rev1=1.2021&rev2=1.2022&root=/cvs/gnome http://cvs.gnome.org/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=pan&command=DIFF_FRAMESET&file=ANNOUNCE.html&rev1=1.234&rev2=1.235&root=/cvs/gnome
*** Bug 131846 has been marked as a duplicate of this bug. ***
*** Bug 131878 has been marked as a duplicate of this bug. ***
*** Bug 131886 has been marked as a duplicate of this bug. ***
*** Bug 131195 has been marked as a duplicate of this bug. ***
*** Bug 132365 has been marked as a duplicate of this bug. ***
*** Bug 132919 has been marked as a duplicate of this bug. ***
*** Bug 132928 has been marked as a duplicate of this bug. ***
*** Bug 134693 has been marked as a duplicate of this bug. ***
*** Bug 135035 has been marked as a duplicate of this bug. ***
*** Bug 135210 has been marked as a duplicate of this bug. ***
*** Bug 143252 has been marked as a duplicate of this bug. ***