Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Changes (by pdmef): * status: reopened = closed * resolution: = fixed -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:7
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Comment (by pdmef): mutt_FormatString() is now supposed to be mostly multibyte-safe, including padding with multibyte characters. Can you please report if you still have problems? Otherwise I'd like to close this ticket. -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:6
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Comment (by Sertaç Ö. Yıldız): {{{ That fixes the crash, thanks. Just as a side note: each '│' character (U+2502 BOX DRAWINGS LIGHT VERTICAL) in index_format still causes a two characters wide offset on right after padding. }}} -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Comment (by pdmef): Replying to [comment:4 Sertaç Ö. Yıldız]: Just as a side note: each '│' character (U+2502 BOX DRAWINGS LIGHT VERTICAL) in index_format still causes a two characters wide offset on right after padding. Yeah. A fix is easy: * zero the destination when entering the function * re-compute col right after the {{{ch = *src++}}} line for right-padding But this would be a hot-fix only. mutt_FormatString() isn't obviously completely multibyte-safe: * it doesn't allow padding with multibyte chars * the default is to add each byte one by one from the input to the output and increment __both__, the current column counter and the number written so far (column is wrong for multibyte input) ...while the latter one now causes trouble. I'm in favor of fixing the latter issue, so I won't commit the above fix as it only fights the symptoms. -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:5
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte
#2882: segfaults in uxterm with 254 columns if there are single byte Changes (by pdmef): * status: closed = reopened * resolution: fixed = * summary: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format = segfaults in uxterm with 254 columns if there are single byte Comment: Replying to [comment:2 Sertaç Ö. Yıldız]: After this changeset, mutt started to segfault with the attached mbox. ... After this line, | 1207 count -= wlen; /* how many byte left for this line's buffer */ count becomes negative. Just before the memset(): count=-9 col=179 wlen=189. I can confirm your analysis and your crash. I also saw segfaults on other messages and tried to fix padding logic in changeset [648ad3832e82]. With it, your message is fine here. Can you please retry? -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:3
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format Comment (by Sertaç Ö. Yıldız): {{{ After this changeset, mutt started to segfault with the attached mbox. | $ echo $COLUMNS | 180 | $ cat ~/mutt-if.rc | set index_format=%Z%?X?§ [EMAIL PROTECTED]║%4c║?%s% %?Y?%Y%? | $ LANG=en_US.UTF-8 gdb ~/RPMBUILD/BUILD/mutt-1.5.16/mutt | Using host libthread_db library /lib/libthread_db.so.1. | (gdb) run -R -F ~/mutt-if.rc -f =bug | Program received signal SIGSEGV, Segmentation fault. | 0x00b9d6f7 in memset () from /lib/libc.so.6 | (gdb) bt | #0 0x00b9d6f7 in memset () from /lib/libc.so.6 | #1 0x080b7f11 in mutt_FormatString ( | dest=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season Begins with Music!, ' ' repeats 11 times..., destlen=value optimized out, col=0, src=value optimized out, | callback=0x8079d20 hdr_format_str, data=3219068092, flags=100) at /usr/include/bits/string3.h:96 | #2 0x080798a0 in _mutt_make_string ( | dest=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season Begins with Music!, ' ' repeats 11 times..., destlen=256, | s=0x82c27d0 %Z%?X?§ [EMAIL PROTECTED]�\225\221%4c�\225\221?%s% %?Y?%Y%?, ctx=0x82c2748, hdr=0x82cb940, flags=100) | at hdrline.c:736 | #3 0x0806a3ea in index_make_entry ( | s=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season Begins with Music!, ' ' repeats 11 times..., l=256, menu=0x82cc128, num=0) at curs_main.c:174 | #4 0x080842b2 in menu_make_entry ( | s=0xbfdf1548 [EMAIL PROTECTED] Ili�\237kiler Ofi�\225\2210.1K�\225\221[students] Davetlisiniz 11 Eylül Salı - Film Sezonu Müzikle Ba�\237lıyor! Your're Invited 11 Sept Tuesday - Film Season Begins with Music!, ' ' repeats 11 times..., l=0, menu=0x82cc128, i=1073739135) at menu.c:154 | #5 0x08085236 in menu_redraw_index (menu=0x82cc128) at menu.c:216 | #6 0x20202020 in ?? () | #7 0x20202020 in ?? () | [snip] | #2669 0x20202020 in ?? () | #2670 0x20202020 in ?? () | Cannot access memory at address 0xbfdf4000 After this line, | 1207count -= wlen; /* how many byte left for this line's buffer */ count becomes negative. Just before the memset(): count=-9 col=179 wlen=189. }}} -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format Changes (by pdmef): * status: new = closed * resolution: = fixed Comment: (In [bb4f47b4578d]) Fix buffer overflow in mutt_FormatString() The variable in question is supposed to track string sizes, not string widths (closes #2882 and #2900). -- Ticket URL: http://dev.mutt.org/trac/ticket/2882#comment:1
Bug#420598: [Mutt] #2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format
#2882: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format {{{ - Forwarded message from Axel Beckert [EMAIL PROTECTED] - Date: Mon, 23 Apr 2007 15:08:27 +0200 (CEST) From: Axel Beckert [EMAIL PROTECTED] Reply-To: Axel Beckert [EMAIL PROTECTED], [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: Bug#420598: mutt: segfaults in uxterm with 254 columns if there are single byte 8-bit characters in index_format Package: mutt Version: 1.5.9-2sarge2 Severity: normal Since a long time, my index_format for mutt is set as follows: set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s% %M It works fine since years and even inside uxterms with LC_CTYPE=en_US.UTF-8, but no other locale environment variables set. To track down the problem, I used a .muttrc only containing the above line. If I now resize the uxterm with an running mutt inside to more than 254 columns of if I start mutt inside such an uxterm with more than 254 columns, mutt segfaults. It does not happen inside an xterm (same configuration). Although mutt shows only 255 (but not 254 as I would have expected) columns of content in there. (Probably a mutt internal limit.) The segfault also does not happen if I replace the two occurences of · with -, but a segfault shouldn't happen anyway. How to reproduce: = Write the following line as only line into $HOME/.muttrc with iso8859-1 charset: set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s% %M Then, on a display with (at least) 1600x1200 resolution, open an uxterm with the font fixed, e.g. by calling uxterm -fn fixed. Maximise that window -- at least horizontally. Depending on the window managers border width (fvwm2 with 3px borders here) the uxterm should have around 260 columns. Check that with e.g. typing echo $COLUMNS. Then start mutt in a nearly virgin environment: env -i LC_CTYPE=en_US.UTF-8 USER=$USER HOME=$HOME TERM=xterm mutt mutt will segfault when trying to display the mail index. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.33.2-1-dphys-k8-smp-64gb Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mutt depends on: ii libc6 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an ii libdb4.34.3.27-2 Berkeley v4.3 Database Libraries [ ii libgnutls11 1.0.16-13.2sarge2GNU TLS library - runtime library ii libidn110.5.13-1.0 GNU libidn library, implementation ii libncursesw55.4-4Shared libraries for terminal hand ii libsasl22.1.19.dfsg1-0sarge2 Authentication abstraction library ii postfix [mail-trans 2.1.5-9 A high-performance mail transport -- no debconf information - End forwarded message - I can reproduce the bug with current tip with an utf8-encoded muttrc: set index_format=%4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s% %M xterm, utf8, 253 columns. Sorting mailbox... Program received signal SIGSEGV, Segmentation fault. 0x00484049 in mutt_FormatString (dest=0x7fff965fbae0 279 Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200 \236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=255, col=253, src=0x91a7f8 %M, callback=0x4389a1 hdr_format_str, data=140735716243968, flags=100) at muttlib.c:1221 1221 memcpy (wptr, buf, len); (gdb) bt #0 0x00484049 in mutt_FormatString (dest=0x7fff965fbae0 279 Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200 \236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=255, col=253, src=0x91a7f8 %M, callback=0x4389a1 hdr_format_str, data=140735716243968, flags=100) at muttlib.c:1221 #1 0x0043a4cb in _mutt_make_string (dest=0x7fff965fbae0 279 Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200 \236Bad-Taste-Party�200\234, ' ' repeats 102 times..., destlen=256, s=0x91a7c0 %4C %Z %[%a·%d·%b] %-16.16F [%-12.12L] (%4c %4l) %s% %M, ctx=0x91c570, hdr=0x9a0ab0, flags=100) at hdrline.c:736 #2 0x0041d4f3 in index_make_entry (s=0x7fff965fbae0 279 Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200 \236Bad-Taste-Party�200\234, ' ' repeats 102 times..., l=256, menu=0x9c1c10, num=278) at curs_main.c:174 #3 0x00443666 in menu_make_entry (s=0x7fff965fbae0 279 Wed·28·Feb Sebastian Schöni [Sebastian Sc] (1,0K 28) Einladung �200 \236Bad-Taste-Party�200\234, ' ' repeats 102 times..., l=256, menu=0x9c1c10, i=278) at menu.c:154 #4 0x0044395c in menu_redraw_index (menu=0x9c1c10) at menu.c:216 Christoph }}} -- Ticket URL: http://dev.mutt.org/trac/ticket/2882