[Users] [Bug 3598] use after free in function summary_execute_move_func()

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Apr 1 17:11:05 CEST 2016


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3598

--- Comment #11 from Ricardo Mones <mones at users.sourceforge.net> ---
(In reply to comment #9)
> Unfortunately it seems this fix is not enough. I am still able to reproduce
> this issue with the latest git code.
> 
> I assume the reason is that the pointer is copied around at some point and
> although it's nulled on freeing the copy will still be accessed. I'm
> attaching an asan crash dump.
> 
> Not sure how to debug this further. Unfortunately I'm still not able to
> reliably reproduce this, but it happens usually after moving around and
> deleting a few messages in my inbox.

It seems the problem is that in folder.c the msginfo->subject is inserted in
the subject GHashTable without being g_strdup'ed (using
utils.c:subject_table_insert).

If freed by procmsg_msginfo_free, the utils.c:subject_table_lookup function
will try to access a freed string, as the asan report shows.

HTH,

-- 
You are receiving this mail because:
You are the assignee for the bug.



More information about the Users mailing list