Re: svn r486, crash while handling f=f mail

* Rocco Rutte <pdmef@xxxxxxxxxxxxxxx> [05-09-09 01:42]:
> Hi,
> * Daniel Vrcic [05-09-08 19:14:22 +0200] wrote:
> > The problem is in rfc3676.c, on line 202 and 203. Mentioned line causes
> > curline_len + buf_len - buf_off to be equal 0 which causes curline
> > pointer to point to the NULL. In the next line (203) strcpy is trying to
> > copy to the NULL pointer which leads to SIGSEGV signal.
> Does that tell you a debugger? 

Yes.

Breakpoint 1, rfc3676_handler (a=0x82c9558, s=0xbf84bad0) at rfc3676.c:203
203         strcpy (curline + curline_len - 1, buf + buf_off);
3: curline_len + buf_len - buf_off = 0
2: buf + buf_off = 0xbf84b3b2 ""
1: curline = 0x0

I don't know what all those f=f headers means (really don't have time to
read and play with this :( ), but it seems that if a message has header,
for example, like this:

|Content-Type: text/plain;
|charset=ISO-8859-2;
|DelSp=Yes;
|format=flowed

and if that message in its body contains line

|> \n

then mutt-ng is being crashed. Probably "DelSp=Yes;" is the one that
causing curline_len + buf_len - buff_off = 0 .

> curline_len is always set to 1 so even if buf_len == buf_off, the result
> will be 1. Maybe I'm blind but I don't see how buf_len and/or buf_off
> can turn negative... Can please do two things:
> - forward such a mail to the devel list

Actually you can pick one f=f message in your mbox that doesn't contain
DelSp=Yes; . Edit that message and manually add "DelSp=Yes;" to
Content-Type header. To its body add "> \n" (quote, hit space and then
enter :) ) and then try to open new mail that appeared in your mbox.
Mutt-ng should be crashed. At least that's what I get.

If you still can't reproduce bug I will bounce the original message that
causes crash here.

> - and see if the attached patch helps (it solves the only problem I see
> so far) though I doubt it

Nop, it doesn't.

> IMHO it's better to take this to devel...

Sure.

Cheers,
-- 
Daniel Vrcic