Forum: >>> Magnum BBS <<<

Bug#266196: mutt segfaults on junk

From KELEMEN Peter@1:229/2 to All on Tue Aug 17 02:00:16 2004

From: [email protected]

Package: mutt
Version: 1.5.6-20040803+1
Severity: important
Tags: l10n

Mutt started throwing SIGSEGVs when I switched over to UTF-8. I
localized the problem to a bogofilter-handled spam folder. I came
up with the isolated testcase (URL because I don't know how to
instruct reportbug to attach files), a simple mbox that contains
only the Subject: header of an actual spam.

http://cern.ch/fuji/cruft/mutt-segfault-mbox.gz 9aff55a26f26e107f5c9ec6b6a6541b02d262a6f mutt-segfault-mbox.gz fda0215da06f41015770b85f2dc250ae98179903 mutt-segfault-mbox

Peter

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-mm7-inara
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8

Versions of packages mutt depends on:
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an ii libgnutls11 1.0.16-7 GNU TLS library - runtime library ii libidn11 0.5.2-2 GNU libidn library, implementation ii libncursesw5 5.4-4 Shared libraries for terminal hand ii libsasl2 2.1.19-1.1 Authentication abstraction library ii postfix [mail-transport-age 2.1.4-4 A high-performance mail transport

-- no debconf information

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From KELEMEN Peter@1:229/2 to All on Tue Aug 17 02:40:09 2004

From: [email protected]

* Adeodato Sim? ([email protected]) [20040817 02:20]:

uhm, I wget the file but get this instead:
fcde3afca692319016abe7c2f422bff2 mutt-segfault-mbox.gz d6cc4911ab10cef09ba1af0492a80355 mutt-segfault-mbox

Please use sha1sum(1) for verifying the checksums.

Peter

--
.+'''+. .+'''+. .+'''+. .+'''+. .+''
Kelemen P?ter / \ / \ / [email protected]
.+' `+...+' `+...+' `+...+' `+...+'

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Adeodato =?iso-8859-1?Q?Sim=F3?=@1:229/2 to All on Tue Aug 17 02:40:08 2004

From: [email protected]

* KELEMEN Peter [Tue, 17 Aug 2004 01:35:41 +0200]:

hi,

Mutt started throwing SIGSEGVs when I switched over to UTF-8. I
localized the problem to a bogofilter-handled spam folder. I came
up with the isolated testcase (URL because I don't know how to
instruct reportbug to attach files), a simple mbox that contains
only the Subject: header of an actual spam.

we've had several of these, some related to a libc6 bug. a patch was
introduced to workaround it, but still.

http://cern.ch/fuji/cruft/mutt-segfault-mbox.gz 9aff55a26f26e107f5c9ec6b6a6541b02d262a6f mutt-segfault-mbox.gz fda0215da06f41015770b85f2dc250ae98179903 mutt-segfault-mbox

uhm, I wget the file but get this instead:

fcde3afca692319016abe7c2f422bff2 mutt-segfault-mbox.gz
d6cc4911ab10cef09ba1af0492a80355 mutt-segfault-mbox

and I fail to reproduce the bug, then. can you check you uploaded the
right file.

thanks,

--
Adeodato Sim�
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Proper treatment will cure a cold in seven days, but left to itself, a
cold will hang on for a week.
-- Darrell Huff

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Adeodato =?iso-8859-1?Q?Sim=F3?=@1:229/2 to All on Tue Aug 17 03:00:10 2004

From: [email protected]

* KELEMEN Peter [Tue, 17 Aug 2004 02:26:17 +0200]:

* Adeodato Sim? ([email protected]) [20040817 02:20]:

uhm, I wget the file but get this instead:
fcde3afca692319016abe7c2f422bff2 mutt-segfault-mbox.gz d6cc4911ab10cef09ba1af0492a80355 mutt-segfault-mbox

Please use sha1sum(1) for verifying the checksums.

sorry. checksums are right now, but obviously that doesn't make the
segfault magically appear. ;-)

backtrace?

--
Adeodato Sim�
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

The greatest productive force is human selfishness.
-- Robert Heinlein

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From KELEMEN Peter@1:229/2 to All on Tue Aug 17 03:10:09 2004

From: [email protected]

* Adeodato Simó ([email protected]) [20040817 02:35]:

backtrace?

#0 0xb7e73269 in re_exec () from /lib/tls/libc.so.6
#1 0xb7bbeccc in ?? ()
#2 0x00000000 in ?? ()
#3 0xb7ee7edc in ?? () from /lib/tls/libc.so.6
#4 0x00000001 in ?? ()
#5 0x081f3ac8 in ?? ()
#6 0x00000000 in ?? ()
#7 0xb7e7304b in re_exec () from /lib/tls/libc.so.6
#8 0x08287e68 in ?? ()
#9 0x00000002 in ?? ()
#10 0xbfffcd00 in ?? ()
#11 0xbfffccf4 in ?? ()
#12 0x08285be1 in ?? ()
#13 0x00000000 in ?? ()
#14 0xbfffccf8 in ?? ()
#15 0x00000000 in ?? ()
#16 0x00000001 in ?? ()
#17 0xbfffcd90 in ?? ()
#18 0x08285be1 in ?? ()
#19 0xb7ee7edc in ?? () from /lib/tls/libc.so.6
#20 0x00000010 in ?? ()
#21 0xbfffcd90 in ?? ()
#22 0x00000000 in ?? ()
#23 0x00000001 in ?? ()
#24 0x00000000 in ?? ()
#25 0x000000fb in ?? ()
#26 0x00000000 in ?? ()
#27 0x08287e68 in ?? ()
#28 0x081f3ac8 in ?? ()
#29 0x00000004 in ?? ()
#30 0xffffffd8 in ?? ()
#31 0xb7d128a0 in ?? ()
#32 0x00000001 in ?? ()
#33 0x00000002 in ?? ()
#34 0x08212cc8 in ?? ()
#35 0x00000000 in ?? ()
#36 0x00000000 in ?? ()
#37 0xb7e6786d in fnmatch () from /lib/tls/libc.so.6
Previous frame inner to this frame (corrupt stack?)

ii libc6 2.3.2.ds1-16
ii mutt 1.5.6-20040803+1

Peter

--
.+'''+. .+'''+. .+'''+. .+'''+. .+''
Kelemen Péter / \ / \ / [email protected]
.+' `+...+' `+...+' `+...+' `+...+'

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Adeodato =?iso-8859-1?Q?Sim=F3?=@1:229/2 to All on Tue Aug 17 03:30:09 2004

From: [email protected]

* KELEMEN Peter [Tue, 17 Aug 2004 02:59:13 +0200]:

* Adeodato Sim� ([email protected]) [20040817 02:35]:

backtrace?

Now with libc6-dbg installed:

thanks.

#6 0xb7e6e80b in regexec () from /lib/tls/libc.so.6

ah, our beloved regexec. please check if it happens if you start mutt
with a -F /dev/null option. if it doesn't, please attach your muttrc
(without sensible parts) so I can find out what is triggering the
segfault.

if you prefer not to send your muttrc, please do the testing yourself
and find out which line in it triggers the bug. I suspect it will
probably be $index_format or similar (*_format).

thanks,

LANG=en_US.UTF-8

p.s. I'm checking with this, but thanks for the reminder.

--
Adeodato Sim�
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Faced with the choice between changing one's mind and proving that there
is no need to do so, almost everyone gets busy with the proof.
-- J.K. Galbraith

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From KELEMEN Peter@1:229/2 to All on Tue Aug 17 03:40:07 2004

From: [email protected]

* Adeodato Simó ([email protected]) [20040817 03:02]:

ah, our beloved regexec. please check if it happens if you start
mutt with a -F /dev/null option. if it doesn't, please attach
your muttrc (without sensible parts) so I can find out what is
triggering the segfault.

Using -F /dev/null prevents the segfault. The culprit line:
set reply_regexp="(((re|a(nt)?w|vá)(\[([\]\[0-9\]+\[])\])?:|[\[a-z0-9\]+-l])\[\t\]+)+"

The 0x00E1 was originally in ISO-8859-1 encoding, but it does
not matter; it doesn't need to be there in order to trigger
the segfault. I trimmed the testcase down (as the backtrace
suggests):

set reply_regexp="[a-z]" # segfault
set reply_regexp="[0-9]" # segfault
set reply_regexp="[e-f]" # segfault, any variation
set reply_regexp="[4-5]" # segfault, any variation

This triggers the same trace. However, the following (supposedly
equivalent) regexp does not result in segfault:

set reply_regexp="[[:alpha:]]" # OK
set reply_regexp="[A-Z]" # OK, any variation

This currently is a workaround for me; however, it's not nice at
all that libc just crashes.

Peter

--
.+'''+. .+'''+. .+'''+. .+'''+. .+''
Kelemen Péter / \ / \ / [email protected]
.+' `+...+' `+...+' `+...+' `+...+'

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From Adeodato =?iso-8859-1?Q?Sim=F3?=@1:229/2 to All on Tue Aug 17 04:00:10 2004

From: [email protected]

tag 266196 confirmed
quit

* KELEMEN Peter [Tue, 17 Aug 2004 03:30:01 +0200]:

* Adeodato Sim� ([email protected]) [20040817 03:02]:

ah, our beloved regexec. please check if it happens if you start
mutt with a -F /dev/null option. if it doesn't, please attach
your muttrc (without sensible parts) so I can find out what is
triggering the segfault.

Using -F /dev/null prevents the segfault. The culprit line:
set reply_regexp="(((re|a(nt)?w|v�)(\[([\]\[0-9\]+\[])\])?:|[\[a-z0-9\]+-l])\[\t\]+)+"

thanks for the "investigation" ;-).

The 0x00E1 was originally in ISO-8859-1 encoding, but it does
not matter; it doesn't need to be there in order to trigger
the segfault. I trimmed the testcase down (as the backtrace
suggests):

yup, see #261135. [0-1] is enough.

This currently is a workaround for me; however, it's not nice at
all that libc just crashes.

libc bug, fixed-upstream. Goto Masanori told me that this won't be
fixed in sarge, so we went for the workaround patch (which is in the
current package).

all it may be done is checking the patch to see what is missing, which
I'll try to do tomorrow (now's time to sleep ;-).

thanks for your report,

--
Adeodato Sim�
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Arguing with an engineer is like wrestling with a pig in mud: after a
while, you realize the pig is enjoying it.

--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Tue Jun 9 11:18:15 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Tue Jun 9 10:31:07 2026
  from Wales, Uk via Telnet
- Centurion
  Mon Jun 8 23:30:43 2026
  from Berea, Ohio via Telnet
- Centurion
  Mon Jun 8 21:33:11 2026
  from Berea, Ohio via Telnet
- Bob Worm
  Mon Jun 8 20:15:00 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 16:33:22 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 14:11:46 2026
  from Wales, Uk via Telnet
- Krenn
  Mon Jun 8 11:22:02 2026
  from Sydney, Nsw via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	45:11:33
Calls:	12,111
Calls today:	2
Files:	15,010
Messages:	6,518,466

Bug#266196: mutt segfaults on junk

Who's Online

Recent Visitors

System Info