#2172: crashes (double free) when closing externally modified mailbox
Changes (by brendan):
* status: new => closed
* resolution: => worksforme
Old description:
> {{{
> (This comes from Debian Bug#346073.)
>
> When quitting after a mailbox has been emptied by an external program,
> Mutt seems to issue a double free, and newer libc6 versions crash on
> this.
>
> The backtrace is:
>
> #0 0xffffe410 in __kernel_vsyscall ()
> #1 0xb7d63691 in raise () from /lib/tls/i686/cmov/libc.so.6
> #2 0xb7d64f5b in abort () from /lib/tls/i686/cmov/libc.so.6
> #3 0xb7d99ba7 in __libc_message () from /lib/tls/i686/cmov/libc.so.6
> #4 0xb7da0177 in _int_free () from /lib/tls/i686/cmov/libc.so.6
> #5 0xb7da0612 in free () from /lib/tls/i686/cmov/libc.so.6
> #6 0xb7d9099a in fclose@@GLIBC_2.1 () from /lib/tls/i686/cmov/libc.so.6
> #7 0x080afb9a in safe_fclose (f=0x8151e7c) at lib.c:203
> #8 0x080885cf in mx_fastclose_mailbox (ctx=0x8151e78) at mx.c:766
> #9 0x080819c8 in mbox_sync_mailbox (ctx=0x8151e78, index_hint=0x0) at
> mbox.c:934
> #10 0x080886c2 in sync_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00) at
> mx.c:785
> #11 0x0808a56c in mx_close_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00)
> at mx.c:1000
> #12 0x08067668 in mutt_index_menu () at curs_main.c:890
> #13 0x0807eede in main (argc=5, argv=0xbfd8c904) at main.c:960
>
> >How-To-Repeat:
> Open a mailbox with one unread message, eg. [1], on terminal 1, like:
>
> t1% mutt -nF /dev/null -f sample-mailbox
>
> Press intro; the message gets displayed.
>
> On terminal 2, empty the mailbox with:
>
> t2% echo -n >sample-mailbox
>
> On terminal 1 again, press 'q'; Mutt says "Mailbox was externally
> modified. Flags may be wrong." Now press 'q' again:
>
> Writing messages... 0 (0%)
> *** glibc detected *** double free or corruption (!prev): 0x08153140 ***
> zsh: abort (core dumped)
>
> [1] http://people.debian.org/~adeodato/tmp/2006-01-30/sample-mailbox
> >Fix:
> }}}
New description:
{{{
(This comes from Debian Bug#346073.)
When quitting after a mailbox has been emptied by an external program,
Mutt seems to issue a double free, and newer libc6 versions crash on this.
The backtrace is:
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7d63691 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7d64f5b in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7d99ba7 in __libc_message () from /lib/tls/i686/cmov/libc.so.6
#4 0xb7da0177 in _int_free () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7da0612 in free () from /lib/tls/i686/cmov/libc.so.6
#6 0xb7d9099a in fclose@@GLIBC_2.1 () from /lib/tls/i686/cmov/libc.so.6
#7 0x080afb9a in safe_fclose (f=0x8151e7c) at lib.c:203
#8 0x080885cf in mx_fastclose_mailbox (ctx=0x8151e78) at mx.c:766
#9 0x080819c8 in mbox_sync_mailbox (ctx=0x8151e78, index_hint=0x0) at
mbox.c:934
#10 0x080886c2 in sync_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00) at
mx.c:785
#11 0x0808a56c in mx_close_mailbox (ctx=0x8151e78, index_hint=0xbfd8bf00)
at mx.c:1000
#12 0x08067668 in mutt_index_menu () at curs_main.c:890
#13 0x0807eede in main (argc=5, argv=0xbfd8c904) at main.c:960
>How-To-Repeat:
Open a mailbox with one unread message, eg. [1], on terminal 1, like:
t1% mutt -nF /dev/null -f sample-mailbox
Press intro; the message gets displayed.
On terminal 2, empty the mailbox with:
t2% echo -n >sample-mailbox
On terminal 1 again, press 'q'; Mutt says "Mailbox was externally
modified. Flags may be wrong." Now press 'q' again:
Writing messages... 0 (0%)
*** glibc detected *** double free or corruption (!prev): 0x08153140 ***
zsh: abort (core dumped)
[1] http://people.debian.org/~adeodato/tmp/2006-01-30/sample-mailbox
>Fix:
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2172#comment:2>
