GNOME Bugzilla – Bug 695319
crash when parsing address line with embedded date
Last modified: 2013-03-15 19:20:28 UTC
A spam message I recently received has a date in the cc: line. Geary processes this header with Gmime. Gmime treats the cc: as a group mailbox, but when some object is destroyed (the Internet address object itself?) Gmime crashes. Here's the cc: line from the header: Cc: <stormeinternational@gmail.com>; Sat, 2 Mar 2013 10:45:25 +0800 Here's the stack trace inside Geary:
+ Trace 231602
I realize that's not terribly useful. One interesting thing is that Gmime parsed the date several times, apparently not advancing an internal counter appropriately: 2 Mar 2013 10: 45: 25, +0800;; 45: 25, +0800; 25 +0800 Each of these were on the list generated by internet_address_group_get_members.
Created attachment 238238 [details] Spam email that caused the crash
A better stack trace (symbols installed):
+ Trace 231603
What's going on is that the parser parses the first email address, then, when it finds ';' (it expects a ','), it does the best it can do to recover by skipping tokens until it gets to a ',' (which is why it drops "Sat"). Then, it assumes that "2 Mar 2013 10" is the name of an rfc822 group address (because of the ':' after that). At this point it parses the child addresses of this "group" and assumes that "45" is the name of a child group (based on the next ':' char). It then parses "25" as an address and "+0800" as another (it knows they are invalid but there's nothing it can do about that). When you to_string() an address group, it includes the child addresses, so it's no surprise that each of those lines duplicates some of the string from the lines above :-) Anyway... the stack trace suggests that the address parser isn't the problem, but rather something is (possibly?) double freeing one of the address group objects. What is geary_rf_c822_message_convert_gmime_address_list() and the code above it in the stack doing?
I just downloaded geary 0.2.2 source code from the website and took a look. I don't know much about Vala, so can't be certain, but I suspect that the Vala GMime binding is unreffing the InternetAddressList returned by group.get_members() when it shouldn't be (internet_address_group_get_members() does not ref the list that it returns).
The code was doing a recursive scan, allow groups-within-groups aren't allowed according to RFC822. We coded around the problem by simply dropping the recursion: http://redmine.yorba.org/issues/6486 I checked out the Vala bindings for InternetAddressGroup.get_members() and sure enough, it's our fault: public InternetAddressList get_members(); That should be an unowned return value. I'll make that change. Incidentally ... would the GMime project be interested in taking over the VAPI files we've generated? Or, are there plans to offer GObject Introspection files for GMime? (Either would work for Vala.) We're maintaining these now for Geary but it makes more sense for them to maintained by the library itself.
I'd accept a patch that added GObject Introspection and I'd be willing to try to maintain it after that point (although I don't know anything about GObject Introspection, so I'm not sure how effective I'd be), but I'm not really interested in maintaining any more language-specific bindings.
Ok, thanks for letting me know.