#3888: mutt 1.5.23 and 1.7.1 segfault on valid-seeming HTML message
----------------------+----------------------
Reporter: Lorens | Owner: mutt-dev
Type: defect | Status: new
Priority: critical | Milestone:
Component: display | Version: 1.7.1
Keywords: |
----------------------+----------------------
I run 1.5.23 from Ubuntu 15.10. I get a regular message (MIME, one part
only and that HTML, definitely non-spam but possibly ill-generated since
it's sent from a website). Hitting [enter] on the message list
systematically segfaults for every message from this sender. However,
hitting [v] and then [enter] correctly opens a new tab in my browser like
I want it to.
My binary was stripped and optimized, so instead of upgrading Ubuntu (it's
planned :) ) I downloaded and compiled 1.7.1 with debugging symbols. I
still have the segfault.
{{{
Program terminated with signal SIGSEGV, Segmentation fault.
[...]
(gdb) bt
#0 0x000000000045d6dc in resolve_types (
buf=0x1a94490 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"
\"http://www.w3.org/TR/html4/strict.dtd\";> <html> <head> <meta
name=\"generator\" content=\"HTML Tidy for Windows (vers 14 February
2006), see www.w3.org\">"...,
raw=0x1a74780 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"
\"http://www.w3.org/TR/html4/strict.dtd\";> <html> <head> <meta
name=\"generator\" content=\"HTML Tidy for Windows (vers 14 February
2006), see www.w3.org\">"..., lineInfo=0x1a73090, n=11, last=12,
QuoteList=0x7fff38406d98, q_level=0x7fff38406d20,
force_redraw=0x7fff38406d24, q_classify=2) at pager.c:883
#1 0x000000000045ed0c in display_line (f=0x1a70b40,
last_pos=0x7fff38406da8, lineInfo=0x7fff38406d90, n=11,
last=0x7fff38406d1c, max=0x7fff38406d18, flags=66,
QuoteList=0x7fff38406d98, q_level=0x7fff38406d20,
force_redraw=0x7fff38406d24, SearchRE=0x7fff38406e10,
pager_window=0x1a73bf0) at pager.c:1347
#2 0x00000000004607c2 in mutt_pager (banner=0x0, fname=0x7fff38407690
"/home/lorens/.tmp/TMPDIR//mutt-rush-1000-14827-1801976544388463232",
flags=66,
extra=0x7fff38407660) at pager.c:1811
#3 0x0000000000414c52 in mutt_display_message (cur=0x1a63b00) at
commands.c:214
#4 0x00000000004254f1 in mutt_index_menu () at curs_main.c:1313
#5 0x000000000044ab0e in main (argc=1, argv=0x7fff38408e28) at
main.c:1228
}}}
After mucking about in gdb it seems that in trying to colorize my HTML
message of some 130kB, the line
872 if (++(lineInfo[n].chunks) > 1)
makes "short chunks" roll over to -32768. This is not caught, variable i
follows, next time through the loop i is used to index into an array, and
boom.
At this point I've not tried to analyze either the regex parsing or the
HTML in detail, so I can't be sure if the HTML is totally wrecked or not
(the w3 validator seems to think it is, but Chrome displays it with no
apparent problems).
I suppose it is possible to configure mutt to launch my browser
immediately instead of having it try to colorize the HTML (problem
disappears if I comment out "color body default default ." from my
.muttrc), but I do hate segfaults triggered by parsing incoming mail, so
I'm grading this critical.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3888>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
