[Mutt] #3644: segmentation fault when viewing an application/x-sh attachment

Mutt Fri, 07 Jun 2013 03:45:47 -0700

#3644: segmentation fault when viewing an application/x-sh attachment
----------------------+----------------------
 Reporter:  vinc17    |      Owner:  mutt-dev
     Type:  defect    |     Status:  new
 Priority:  critical  |  Milestone:
Component:  mutt      |    Version:
 Keywords:            |
----------------------+----------------------
 When I want to view some application/x-sh attachment I've added before
 sending a message, Mutt crashes (segmentation fault). Full backtrace:
 {{{
 Core was generated by `/home/vlefevre/x86_64/bin/mutt moi'.
 Program terminated with signal 11, Segmentation fault.
 #0  fseeko (fp=0x0, offset=0, whence=whence@entry=0) at fseeko.c:38
 38      fseeko.c: No such file or directory.
 (gdb) bt full
 #0  fseeko (fp=0x0, offset=0, whence=whence@entry=0) at fseeko.c:38
         _IO_acquire_lock_file = 0x0
         result = <optimized out>
 #1  0x0000000000432376 in mutt_decode_attachment (b=b@entry=0x1aaf4c0,
     s=s@entry=0x7fff4fbc42b0) at handler.c:1543
         istext = 0
         cd = 0xffffffffffffffff
 #2  0x000000000040bc15 in mutt_view_attachment (fp=fp@entry=0x0,
 a=0x1aaf4c0,
     flag=3, flag@entry=1, hdr=hdr@entry=0x0, idx=idx@entry=0x1a722e0,
 idxlen=2)
     at attach.c:525
         decode_state = {fpin = 0x0, fpout = 0x1c83100, prefix = 0x0,
           flags = 16}
         tempfile = '\000' <repeats 255 times>
         pagerfile = "/var/tmp/mutt-ypig-1000-7059-892142471611688908",
 '\000' <repeats 208 times>
         is_message = 0
         use_mailcap = 0
         use_pipe = 0
         use_pager = 1
         type =
 
"application/x-sh\000\000\000\000\000\000\000\000\200I\274O\377\177\000\000\060.2O\377\177\000\000M\205\257\061B\177",
 '\000' <repeats 26 times>,
 
"\060\000\000\000.\000\000\000\062\000\000\000\377\177\000\000d\222\257\061B\177",
 '\000' <repeats 89 times>, "\270\020", '\000' <repeats 39 times>...
         command = "\000\000\000\000\000\000\000\000\000\061\310\001",
 '\000' <repeats 12 times>,
 "\020\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000
 
e:3B\177\000\000\310a:3B\177\000\000\273\310\030\063B\177\000\000\000\000\000\000\000\000\000\000`\222\067\063B\177\000\000\001",
 '\000' <repeats 15 times>,
 
"\001\000\000\000\000\000\000\000\310a:3B\177\000\000\000\000\000\000\000\000\000\000\200I\274O\377\177\000\000\200I\274O\377\177\000\000pI\274O\377\177\000\000\000L\274O\377\177\000\000\215\fG\000\000\000\000\000\005\060\257\061B\177\000\000\254\035\257\061B\177\000\000`\r\335\023\000\000\000\062\260C\274O\377\177\000\000pD\274O\377\177\000\000"...
         descrip =
 
"\000\000\000\000\000\000\000\000\002\000\000\000\060\000\000\000\000\000\000\000\000\300\312?\225{\257\061B\177\000\000\000\000\000\000\000\000\000\000\274\275\030\063B\177\000\000\030\000\000\000\000\000\000\000\t\000\000\000\000\000\000\000\220C\274O\377\177\000\000\r\000\000\000\000\000\000\000`\r\335\023\000\000\000\000\260\305\030\063B\177\000\000\000\000\000\000\000\000\000\000
 
\000\000\000\000\000\000\000\065tO\000\000\000\000\000\030\355\252\061B\177\000\000\364̪1B\177\000\000\003\000\000\000\000\000\000\000tO\000\000\000\000\000\000\030\355\252\061B\177\000\000\200I\274O\377\177\000\000\060\374\252\061B\177\000\000\000\000\000\000\000\000\000\000\261I\301\061B\177\000\000\000\000\000\000\000\000\000\000`"...
         fname = <optimized out>
         entry = 0x0
         rc = -1
         unlink_tempfile = 0
 #3  0x0000000000455538 in mutt_attach_display_loop (menu=0x1c71800,
     op=<optimized out>, fp=fp@entry=0x0, hdr=hdr@entry=0x0,
 cur=cur@entry=0x0,
     idxp=idxp@entry=0x7fff4fbc57a0, idxlen=idxlen@entry=0x7fff4fbc5790,
     idxmax=idxmax@entry=0x0, recv=recv@entry=0) at recvattach.c:837
         idx = 0x1a722e0
 #4  0x000000000041836e in mutt_compose_menu (msg=0x1c71710,
     fcc=fcc@entry=0x7fff4fbc6340 "=sent", fcclen=fcclen@entry=256,
 cur=0x0)
     at compose.c:1105
         helpstr = "s:Send  q:Abort  T:To  C:CC  S:Subj  a:Attach file
 ^D:Descrip  ?:Help", '\000' <repeats 506 times>...
         buf = "-- Mutt: Compose  [Approx. msg size: 13K   Atts: 2]", '-'
 <repeats 29 times>, '\000' <repeats 504 times>...
         fname = "fdbug49786.sh", '\000' <repeats 242 times>
         menu = 0x1c71800
         idx = 0x1a722e0
         idxlen = 2
         idxmax = 5
         i = <optimized out>
         close = <optimized out>
         r = <optimized out>
         op = <optimized out>
         loop = <optimized out>
         fccSet = <optimized out>
         ctx = 0x0
         this = <optimized out>
         oldSort = <optimized out>
         oldSortAux = <optimized out>
         st = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid =
 0,
           st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize =
 0,
           st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {
             tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0},
           __unused = {0, 0, 0}}
 #5  0x000000000045ec5d in ci_send_message (flags=<optimized out>,
     flags@entry=0, msg=msg@entry=0x1c71710, tempfile=<optimized out>,
     ctx=ctx@entry=0x0, cur=cur@entry=0x0) at send.c:1551
         buffer = "/var/tmp/mutt-
 
ypig-1000-7059-20037497591929872029\000\000\000\001\000\000\000\070e\274O\377\177\000\000\000\000\000\000\000\000\000\000z1\262\061B\177",
 '\000' <repeats 18 times>, "@'\262\061B\177\000\000\300\364\252\001",
 '\000' <repeats 20 times>,
 
"\260e\274O\377\177\000\000\000\000\000\000\000\000\000\000pe\274O\377\177\000\000\ra\261\061B\177\000\000\000\000\000\000\001\000\000\000\220e\274O\377\177\000\000\000\000\000\000\000\000\000\000\303\302F\000\000\000\000\000\300\r\251\001\000\000\000\000"...
         fcc = "=sent\000vlefevre/Mail/sent", '\000' <repeats 231 times>
         tempfp = 0x0
         pbody = <optimized out>
         i = <optimized out>
         killfrom = 0
         fcc_error = 0
         free_clear_content = <optimized out>
         save_content = 0x0
         clear_content = 0x0
         pgpkeylist = 0x0
         signas = 0x0
         tag = 0x0
         err = 0x0
         ctype = 0x0
         rv = -1
 #6  0x0000000000408440 in main (argc=2, argv=<optimized out>) at
 main.c:989
         fin = 0x0
         buf =
 
"[\362\001\000\000\000\000\000\030\355\252\061B\177\000\000\000\000\000\000\000\000\000\000л\253\061B\177\000\000Xg:3B\177\000\000\273\310\030\063B\177\000\000\000\000\000\000\000\000\000\000؞73B\177\000\000\000\240\067\063B\177\000\000<7\030\063B\177\000\000\360\274\253\061B\177\000\000\020\064\030\063B\177\000\000\000\000\000\000\001\000\000\000\235\b\000\000\001\000\000\000\210\200l\000\000\000\000\000
 
\202\274O\377\177\000\000\200\201\274O\377\177\000\000؞73B\177\000\000\001\000\000\000\000\000\000\000
 
e:3B\177\000\000\330Y:3B\177\000\000\273\310\030\063B\177\000\000\000\000\000\000\000\000\000\000؞73B\177\000\000\001",
 '\000' <repeats 15 times>...
         tempfile = 0x0
         rv = 0
         infile = <optimized out>
         bodytext = 0x0
         folder = '\000' <repeats 255 times>
         subject = 0x0
         includeFile = 0x0
         draftFile = 0x0
         newMagic = 0x0
         msg = 0x1c71710
         attach = 0x0
         commands = 0x0
         queries = 0x0
         alias_queries = 0x0
         sendflags = 0
         flags = <optimized out>
         version = 0
         i = <optimized out>
         explicit_folder = 0
         dump_variables = 0
         double_dash = <optimized out>
         nargc = <optimized out>
 }}}
 I'll attach the attachment in question.


 Possible security implications?

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3644>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

[Mutt] #3644: segmentation fault when viewing an application/x-sh attachment

Reply via email to