[Users] [Bug 3598] use after free in function summary_execute_move_func()

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Apr 1 17:11:05 CEST 2016


--- Comment #11 from Ricardo Mones <mones at users.sourceforge.net> ---
(In reply to comment #9)
> Unfortunately it seems this fix is not enough. I am still able to reproduce
> this issue with the latest git code.
> I assume the reason is that the pointer is copied around at some point and
> although it's nulled on freeing the copy will still be accessed. I'm
> attaching an asan crash dump.
> Not sure how to debug this further. Unfortunately I'm still not able to
> reliably reproduce this, but it happens usually after moving around and
> deleting a few messages in my inbox.

It seems the problem is that in folder.c the msginfo->subject is inserted in
the subject GHashTable without being g_strdup'ed (using

If freed by procmsg_msginfo_free, the utils.c:subject_table_lookup function
will try to access a freed string, as the asan report shows.


You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list