Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Changes (by pdmef): * status: reopened = closed * resolution: = fixed -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:7
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Comment (by pdmef): mutt_FormatString() is now supposed to be mostly multibyte-safe, including padding with multibyte characters. Can you please report if you still have problems? Otherwise I'd like to close this ticket. -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:6
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte
Comment (by Sertaç Ö. Yıldız):
{{{
That fixes the crash, thanks.
Just as a side note: each '│' character (U+2502 BOX DRAWINGS LIGHT
VERTICAL) in index_format still causes a two characters wide offset on
right after padding.
}}}
--
Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte
Comment (by pdmef):
Replying to [comment:4 Sertaç Ö. Yıldız]:
Just as a side note: each '│' character (U+2502 BOX DRAWINGS LIGHT
VERTICAL) in index_format still causes a two characters wide offset on
right after padding.
Yeah. A fix is easy:
* zero the destination when entering the function
* re-compute col right after the {{{ch = *src++}}} line for right-padding
But this would be a hot-fix only. mutt_FormatString() isn't obviously
completely multibyte-safe:
* it doesn't allow padding with multibyte chars
* the default is to add each byte one by one from the input to the output
and increment __both__, the current column counter and the number written
so far (column is wrong for multibyte input)
...while the latter one now causes trouble.
I'm in favor of fixing the latter issue, so I won't commit the above fix
as it only fights the symptoms.
--
Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:5
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Changes (by pdmef): * status: closed = reopened * resolution: fixed = * summary: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format = segfaults in uxterm with 254 columns if there are single byte Comment: Replying to [comment:2 Sertaç Ö. Yıldız]: After this changeset, mutt started to segfault with the attached mbox. ... After this line, | 1207 count -= wlen; /* how many byte left for this line's buffer */ count becomes negative. Just before the memset(): count=-9 col=179 wlen=189. I can confirm your analysis and your crash. I also saw segfaults on other messages and tried to fix padding logic in changeset [648ad3832e82]. With it, your message is fine here. Can you please retry? -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:3
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte
8-bit characters in index_format
Comment (by Sertaç Ö. Yıldız):
{{{
After this changeset, mutt started to segfault with the attached mbox.
| $ echo $COLUMNS
| 180
| $ cat ~/mutt-if.rc
| set index_format=%Z%?X?§ [EMAIL PROTECTED]║%4c║?%s%
%?Y?%Y%?
| $ LANG=en_US.UTF-8 gdb ~/RPMBUILD/BUILD/mutt-1.5.16/mutt
| Using host libthread_db library /lib/libthread_db.so.1.
| (gdb) run -R -F ~/mutt-if.rc -f =bug
| Program received signal SIGSEGV, Segmentation fault.
| 0x00b9d6f7 in memset () from /lib/libc.so.6
| (gdb) bt
| #0 0x00b9d6f7 in memset () from /lib/libc.so.6
| #1 0x080b7f11 in mutt_FormatString (
| dest=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler
Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film
Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season
Begins with Music!, ' ' repeats 11 times..., destlen=value optimized
out, col=0, src=value optimized out,
| callback=0x8079d20 hdr_format_str, data=3219068092, flags=100) at
/usr/include/bits/string3.h:96
| #2 0x080798a0 in _mutt_make_string (
| dest=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler
Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film
Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season
Begins with Music!, ' ' repeats 11 times..., destlen=256,
| s=0x82c27d0 %Z%?X?§
[EMAIL PROTECTED]�\225\221%4c�\225\221?%s%
%?Y?%Y%?, ctx=0x82c2748, hdr=0x82cb940, flags=100)
| at hdrline.c:736
| #3 0x0806a3ea in index_make_entry (
| s=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler
Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film
Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season
Begins with Music!, ' ' repeats 11 times..., l=256, menu=0x82cc128,
num=0) at curs_main.c:174
| #4 0x080842b2 in menu_make_entry (
| s=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler
Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film
Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season
Begins with Music!, ' ' repeats 11 times..., l=0, menu=0x82cc128,
i=1073739135) at menu.c:154
| #5 0x08085236 in menu_redraw_index (menu=0x82cc128) at menu.c:216
| #6 0x20202020 in ?? ()
| #7 0x20202020 in ?? ()
| [snip]
| #2669 0x20202020 in ?? ()
| #2670 0x20202020 in ?? ()
| Cannot access memory at address 0xbfdf4000
After this line,
| 1207count -= wlen; /* how many byte left for this line's buffer */
count becomes negative. Just before the memset(): count=-9 col=179
wlen=189.
}}}
--
Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format Changes (by pdmef): * status: new = closed * resolution: = fixed Comment: (In [bb4f47b4578d]) Fix buffer overflow in mutt_FormatString() The variable in question is supposed to track string sizes, not string widths (closes #2882 and #2900). -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:1
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte
8-bit characters in index_format
{{{
- Forwarded message from Axel Beckert [EMAIL PROTECTED] -
Date: Mon, 23 Apr 2007 15:08:27 +0200 (CEST)
From: Axel Beckert [EMAIL PROTECTED]
Reply-To: Axel Beckert [EMAIL PROTECTED], [EMAIL PROTECTED]
To: Debian Bug Tracking System [EMAIL PROTECTED]
Subject: Bug#420598: mutt: segfaults in uxterm with 254 columns if there
are single byte 8-bit characters in index_format
Package: mutt
Version: 1.5.9-2sarge2
Severity: normal
Since a long time, my index_format for mutt is set as follows:
set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s%
%M
It works fine since years and even inside uxterms with
LC_CTYPE=en_US.UTF-8, but no other locale environment variables set.
To track down the problem, I used a .muttrc only containing the above
line.
If I now resize the uxterm with an running mutt inside to more than
254 columns of if I start mutt inside such an uxterm with more than
254 columns, mutt segfaults.
It does not happen inside an xterm (same configuration). Although mutt
shows only 255 (but not 254 as I would have expected) columns of
content in there. (Probably a mutt internal limit.) The segfault also
does not happen if I replace the two occurences of · with -, but a
segfault shouldn't happen anyway.
How to reproduce:
=
Write the following line as only line into $HOME/.muttrc with
iso8859-1 charset:
set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s%
%M
Then, on a display with (at least) 1600x1200 resolution, open an
uxterm with the font fixed, e.g. by calling uxterm -fn
fixed. Maximise that window -- at least horizontally. Depending on
the window managers border width (fvwm2 with 3px borders here) the
uxterm should have around 260 columns. Check that with e.g. typing
echo $COLUMNS.
Then start mutt in a nearly virgin environment:
env -i LC_CTYPE=en_US.UTF-8 USER=$USER HOME=$HOME TERM=xterm mutt
mutt will segfault when trying to display the mail index.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.33.2-1-dphys-k8-smp-64gb
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages mutt depends on:
ii libc6 2.3.2.ds1-22sarge6 GNU C Library: Shared
libraries an
ii libdb4.34.3.27-2 Berkeley v4.3 Database
Libraries [
ii libgnutls11 1.0.16-13.2sarge2GNU TLS library - runtime
library
ii libidn110.5.13-1.0 GNU libidn library,
implementation
ii libncursesw55.4-4Shared libraries for terminal
hand
ii libsasl22.1.19.dfsg1-0sarge2 Authentication abstraction
library
ii postfix [mail-trans 2.1.5-9 A high-performance mail
transport
-- no debconf information
- End forwarded message -
I can reproduce the bug with current tip with an utf8-encoded muttrc:
set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s%
%M
xterm, utf8, 253 columns.
Sorting mailbox...
Program received signal SIGSEGV, Segmentation fault.
0x00484049 in mutt_FormatString (dest=0x7fff965fbae0 279
Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200
\236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=255,
col=253, src=0x91a7f8 %M,
callback=0x4389a1 hdr_format_str, data=140735716243968, flags=100)
at muttlib.c:1221
1221 memcpy (wptr, buf, len);
(gdb) bt
#0 0x00484049 in mutt_FormatString (dest=0x7fff965fbae0 279
Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200
\236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=255,
col=253, src=0x91a7f8 %M,
callback=0x4389a1 hdr_format_str, data=140735716243968, flags=100)
at muttlib.c:1221
#1 0x0043a4cb in _mutt_make_string (dest=0x7fff965fbae0 279
Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200
\236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=256,
s=0x91a7c0 %4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s% %M,
ctx=0x91c570, hdr=0x9a0ab0, flags=100) at hdrline.c:736
#2 0x0041d4f3 in index_make_entry (s=0x7fff965fbae0 279
Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200
\236Bad-Taste-Party�200\234, ' ' repeats 102 times..., l=256,
menu=0x9c1c10, num=278) at curs_main.c:174
#3 0x00443666 in menu_make_entry (s=0x7fff965fbae0 279
Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200
\236Bad-Taste-Party�200\234, ' ' repeats 102 times..., l=256,
menu=0x9c1c10, i=278) at menu.c:154
#4 0x0044395c in menu_redraw_index (menu=0x9c1c10) at menu.c:216
Christoph
}}}
--
Ticket URL: http://dev.mutt.org/trac/ticket/2882
