Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size

To: 733622@bugs.debian.org
Subject: Bug#733622: bogofilter: Crash on several emails with realloc(): invalid next size
From: Mathieu GOULIN <mathieu.goulin@gadz.org>
Date: Sun, 13 Mar 2016 23:13:43 +0100
Message-id: <[🔎] 56E5E617.5020506@gadz.org>
Reply-to: Mathieu GOULIN <mathieu.goulin@gadz.org>, 733622@bugs.debian.org
In-reply-to: <CAE7RHX9axnEks_0qYi7rP0XxKoXyEhJTVKduhOQRXbOkN+b3Fg@mail.gmail.com>
References: <CAE7RHX9axnEks_0qYi7rP0XxKoXyEhJTVKduhOQRXbOkN+b3Fg@mail.gmail.com> <CAE7RHX9axnEks_0qYi7rP0XxKoXyEhJTVKduhOQRXbOkN+b3Fg@mail.gmail.com>

A good news,

On debian sid they is no problem.

root@b484630d40e2:~/bogofilter-1.2.4/src# ./bogofilter -v -u -I mbox.PB
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4

On Wed, 22 Oct 2014 14:49:12 +0200 Mathieu Goulin<mathieu.goulin@gadz.org> wrote:

> Hy,
>
> I'm able to reproduce the bug with the trunk version of bogofilter. It

> seam's to be a problem in memory management when converting string inutf8.

>
> When i build bogofilter with configure option "--disable-unicode",
> bogofilter don't crash.
>
> *The result with gdb:*

> *** Error in `/root/bogofilter-code/bogofilter/src/bogofilter':realloc():

> invalid next size: 0x0000000000662e50 ***
>
> Program received signal SIGABRT, Aborted.
> 0x00007ffff6d3d077 in __GI_raise (sig=sig@entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0 0x00007ffff6d3d077 in __GI_raise (sig=sig@entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1 0x00007ffff6d3e458 in __GI_abort () at abort.c:89
> #2 0x00007ffff6d7afb4 in __libc_message (do_abort=do_abort@entry=1,
> fmt=fmt@entry=0x7ffff6e6dbc0 "*** Error in `%s': %s: 0x%s ***\n") at
> ../sysdeps/posix/libc_fatal.c:175
> #3 0x00007ffff6d8078e in malloc_printerr (action=1, str=0x7ffff6e69d82
> "realloc(): invalid next size", ptr=<optimized out>) at malloc.c:4996
> #4 0x00007ffff6d8356b in _int_realloc (av=av@entry=0x7ffff70aa620
> <main_arena>, oldp=oldp@entry=0x662e40, oldsize=oldsize@entry=32928,
> nb=nb@entry=32976) at malloc.c:4234
> #5 0x00007ffff6d84569 in __GI___libc_realloc (oldmem=0x662e50,
> bytes=32968) at malloc.c:3029
> #6 0x000000000040a830 in yyrealloc (size=<optimized out>, ptr=<optimized
> out>) at lexer_v3.c:4044
> #7 yy_get_next_buffer () at lexer_v3.c:3204
> #8 yylex () at lexer_v3.c:3005
> #9 0x000000000040f5ca in parse_new_token (token=0x7fffffffead0) at
> token.c:206
> #10 get_token (token=token@entry=0x7fffffffead0) at token.c:153
> #11 0x0000000000405f31 in collect_words (wh=wh@entry=0x63e740) at
> collect.c:48
> #12 0x00000000004029e6 in bogofilter (argc=argc@entry=0, argv=<optimized
> out>) at bogofilter.c:97
> #13 0x0000000000404957 in bogomain (argc=argc@entry=4,
> argv=argv@entry=0x7fffffffec88)
> at bogomain.c:67
> #14 0x00000000004027a4 in main (argc=4, argv=0x7fffffffec88) at main.c:31
>
>
> *The result with valgrind :*
>
> ==4663== Invalid write of size 1
> ==4663== at 0x5B8815C: internal_utf8_loop (loop.c:331)
> ==4663== by 0x5B8815C: __gconv_transform_internal_utf8 (skeleton.c:611)
> ==4663== by 0x5B88D98: __gconv_transform_utf8_internal (skeleton.c:674)
> ==4663== by 0x5B83DB9: __gconv (gconv.c:79)
> ==4663== by 0x5B83358: iconv (iconv.c:52)
> ==4663== by 0x41BFC7: convert (iconvert.c:91)
> ==4663== by 0x41C1DD: iconvert (iconvert.c:196)
> ==4663== by 0x409977: get_decoded_line (lexer.c:226)
> ==4663== by 0x409C19: yyinput (lexer.c:327)
> ==4663== by 0x40BE46: yy_get_next_buffer (lexer_v3.c:3176)

Reply to:

Prev by Date: docbook_4.5-6_source.changes ACCEPTED into unstable
Next by Date: Processing of python-ofxparse_0.14-2_amd64.changes
Previous by thread: docbook_4.5-6_source.changes ACCEPTED into unstable
Next by thread: Processing of python-ofxparse_0.14-2_amd64.changes
Index(es):
- Date
- Thread