[Pkg-mutt-maintainers] Bug#883106: mutt: null pointer dereference in mbox_to_udomain()

Jakub Wilk jwilk at jwilk.net
Wed Nov 29 18:40:09 UTC 2017 

Package: mutt
Version: 1.9.1-5

Mutt crashes on this mbox:

   $ printf 'From Wed Nov 0 0: 0\nTo:=??B??=:\n' > nullptr.mbox
   $ mutt -R -f nullptr.mbox >/dev/null 2>&1

GDB says it's a null pointer dereference in mbox_to_udomain():

   (gdb) up
   #1  0x566ffd01 in mbox_to_udomain (mbx=<optimized out>, user=user at entry=0xffe2b4f0, domain=domain at entry=0xffe2b4f4) at ../../mutt_idna.c:53
   53        p = strchr (buff, '@');
   (gdb) print buff
   $1 = 0x0
   (gdb) bt
   #0  __strchr_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
   #1  0x566ffd01 in mbox_to_udomain (mbx=<optimized out>, user=user at entry=0xffe2b4f0, domain=domain at entry=0xffe2b4f4) at ../../mutt_idna.c:53
   #2  0x56700556 in mutt_addr_for_display (a=0x57eb3190) at ../../mutt_idna.c:293
   #3  0x566c8e60 in mutt_get_name (a=0x57eb3190) at ../../sort.c:104
   #4  0x5668dfb7 in make_from (hdr=0x57eaeea8, buf=buf at entry=0xffe2b63c "Oct 31", do_lists=<optimized out>, do_lists at entry=1, len=1024) at ../../hdrline.c:121
   #5  0x5668f4be in hdr_format_str (dest=0xffe2bbec "", destlen=1024, col=16, cols=80, op=76 'L', src=0x57ea9fa0 " (%?l?%4l&%4c?) %s", prefix=0xffe2baec "-15.15", ifstring=0xffe2bb6c "", elsestring=0xffe2bfec "", data=4293051440, flags=(MUTT_FORMAT_MAKEPRINT | MUTT_FORMAT_ARROWCURSOR | MUTT_FORMAT_INDEX)) at ../../hdrline.c:494
   #6  0x566d3ee8 in mutt_FormatString (dest=0xffe2c50c "   1 N F Oct 31 \254\311\342\377", destlen=1023, col=<optimized out>, cols=80, src=<optimized out>, callback=0x5668e280 <hdr_format_str>, data=4293051440, flags=(MUTT_FORMAT_MAKEPRINT | MUTT_FORMAT_ARROWCURSOR | MUTT_FORMAT_INDEX)) at ../../muttlib.c:1513
   #7  0x5668f7e0 in _mutt_make_string (dest=0xffe2c50c "   1 N F Oct 31 \254\311\342\377", destlen=1024, s=0x57ea9f88 "%4C %Z %{%b %d} %-15.15L (%?l?%4l&%4c?) %s", ctx=0x57eaebf8, hdr=0x57eb30a8, flags=(MUTT_FORMAT_MAKEPRINT | MUTT_FORMAT_ARROWCURSOR | MUTT_FORMAT_INDEX)) at ../../hdrline.c:779
   #8  0x56673794 in index_make_entry (s=0xffe2c50c "   1 N F Oct 31 \254\311\342\377", l=1024, menu=0x57eb3210, num=0) at ../../curs_main.c:253
   #9  0x56697b02 in menu_make_entry (s=s at entry=0xffe2c50c "   1 N F Oct 31 \254\311\342\377", menu=menu at entry=0x57eb3210, i=i at entry=0, l=1024) at ../../menu.c:188
   #10 0x56697ebf in menu_redraw_index (menu=0x57eb3210) at ../../menu.c:263
   #11 0x56674049 in index_menu_redraw (menu=0x57eb3210) at ../../curs_main.c:521
   #12 0x56674569 in mutt_index_menu () at ../../curs_main.c:676
   #13 0x56658de3 in main (argc=<optimized out>, argv=<optimized out>, environ=<optimized out>) at ../../main.c:1252

This was fixed a while ago in NeoMutt[0], but upstream Mutt is still 
affected.

[0] https://github.com/neomutt/neomutt/issues/778


-- System Information:
Architecture: i386

Versions of packages mutt depends on:
ii  libassuan0        2.4.4-1
ii  libc6             2.25-2
ii  libcomerr2        1.43.7-1
ii  libgnutls30       3.5.16-1
ii  libgpg-error0     1.27-5
ii  libgpgme11        1.9.0-6
ii  libgssapi-krb5-2  1.15.2-2
ii  libidn11          1.33-2
ii  libk5crypto3      1.15.2-2
ii  libkrb5-3         1.15.2-2
ii  libncursesw5      6.0+20171125-1
ii  libsasl2-2        2.1.27~101-g0780600+dfsg-3
ii  libtinfo5         6.0+20171125-1
ii  libtokyocabinet9  1.4.48-11+b1

-- 
Jakub Wilk

More information about the Pkg-mutt-maintainers mailing list