Segfault in regexec, possibly locale related
I was asked to mail my results here, since it seems to be a libc or
locales problem. Cc me for any questions, I'm not subscribed to this
list.
I reported bug #192341 against the mutt package some time ago, it's
about a certain Chinese spam mail that triggers a segfault. See the
report for the attached mail (fix the first line from >From to From to
restore mbox format).
Using libc6 2.3.1-17 and mutt 1.5.4-1, required to reproduce is
LANG=de_DE.UTF-8, mutt-utf8 and the following mutt configuration line:
color body brightyellow black (((ht|f)tps?)|mailto):(//)?[^\ "\t]*|www\.[-a-z0-9.]+)[^\ .,;\t>">]
Compiling an upstream mutt with symbols left in, I find that upon
entering the mail it segfaults with this backtrace:
| #0 0x40109c58 in re_exec () from /lib/libc.so.6
| #1 0x40109908 in re_exec () from /lib/libc.so.6
| #2 0x401079d6 in re_exec () from /lib/libc.so.6
| #3 0x40107537 in re_exec () from /lib/libc.so.6
| #4 0x40105c46 in re_exec () from /lib/libc.so.6
| #5 0x40105752 in re_exec () from /lib/libc.so.6
| #6 0x40104d9d in regexec () from /lib/libc.so.6
| #7 0x0807a9d4 in resolve_types (buf=0xbfffd800 "ITV系�\224\220�\216中�\203�\222\210对�\222�\201\224�\221传�\222�\227��\226��\234\210�\202�\232\204�\205�\214\233�\217\221�\225�\214�\233\206�\223�\206�\223�\232计�\227�\234��\226�\213人�\221\230�\234�\203�\200�\217\221�\214�\216\206�\217�\225��\234\210�\214�\216��\220\221�\202�\234��\232\204�\217\210�\200款�\232�\212\237�\203��\200\201�\236�\224��\200�综�\211�软件平�\217��\200"..., raw=0x0, lineInfo=0x8113cc8, n=12, last=0, QuoteList=0xbfffe0c4, q_level=0xbfffe0c8, force_redraw=0xbfffe0cc, q_classify=2) at pager.c:828
| #8 0x0807bdaa in display_line (f=0x8113b58, last_pos=0xbfffe0b4, lineInfo=0xbfffe0b8, n=12, last=0xbfffe0bc, max=0xbfffe0c0, flags=66, QuoteList=0xbfffe0c4, q_level=0xbfffe0c8, force_redraw=0xbfffe0cc, SearchRE=0xbfffe0d0) at pager.c:1244
| #9 0x0807c373 in mutt_pager (banner=0x0, fname=0x120 <Address 0x120 out of bounds>, flags=66, extra=0xbfffe790) at pager.c:1675
| #10 0x08053e98 in mutt_display_message (cur=0x810d460) at commands.c:200
| #11 0x0805c9a8 in mutt_index_menu () at curs_main.c:1091
| #12 0x08071023 in main (argc=3, argv=0xbffffaf4) at main.c:907
The last thing mutt itself does:
| (gdb) frame 7
| #7 0x0807a9d4 in resolve_types (buf=0xbfffd800 "ITV系�\224\220�\216中�\203�\222\210对�\222�\201\224�\221传�\222�\227��\226��\234\210�\202�\232\204�\205�\214\233�\217\221�\225�\214�\233\206�\223�\206�\223�\232计�\227�\234��\226�\213人�\221\230�\234�\203�\200�\217\221�\214�\216\206�\217�\225��\234\210�\214�\216��\220\221�\202�\234��\232\204�\217\210�\200款�\232�\212\237�\203��\200\201�\236�\224��\200�综�\211�软件平�\217��\200"..., raw=0x0, lineInfo=0x8113cc8, n=12, last=0, QuoteList=0xbfffe0c4, q_level=0xbfffe0c8, force_redraw=0xbfffe0cc, q_classify=2) at pager.c:828
| 828 if (regexec (&color_line->rx, buf + offset, 1, pmatch,
| (gdb) p color_line
| $15 = (COLOR_LINE *) 0xbfffdbff
This particular pointer is not in the linked list of color_lines as
started by ColorBodyLists, which I went through in GDB and found to be
ended correctly on a NULL next pointer. Somewhere the color_line
variable gets overwritten.
--
Andreas Bombe <bombe@informatik.tu-muenchen.de> DSA key 0x04880A44
Reply to: