Bug 703156

Summary: [abrt] claws-mail-3.7.9-2.fc14: g_slist_free out of bounds / imap folder ok_flags (SIGSEGV)
Product: [Fedora] Fedora Reporter: Patrick C. F. Ernzer <pcfe>
Component: claws-mailAssignee: Andreas Bierfert <andreas.bierfert>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: andreas.bierfert, bugs.michael, tomspur
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:d06a13030fe696bb376aef6cf022ae2a53603120
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 12:06:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: backtrace none

Description Patrick C. F. Ernzer 2011-05-09 13:40:14 UTC 
abrt version: 1.1.18
architecture: x86_64
Attached file: backtrace, 37506 bytes
cmdline: claws-mail
component: claws-mail
Attached file: coredump, 154886144 bytes
crash_function: g_slice_free_chain_with_offset
executable: /usr/bin/claws-mail
kernel: 2.6.35.12-90.fc14.x86_64
package: claws-mail-3.7.9-2.fc14
rating: 4
reason: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
release: Fedora release 14 (Laughlin)
time: 1304942420
uid: 500

How to reproduce
-----
1. launch claws-mail
2. read some mails
3. switch to another desktop to do other work

abrt tells me claws crashed. (In other words, it worked for a while and I do not know why it crashed as I was not looking at it when it heppened)
Comment 1 Patrick C. F. Ernzer 2011-05-09 13:40:17 UTC 
Created attachment 497795 [details]
File: backtrace
Comment 2 Michael Schwendt 2011-05-11 16:17:33 UTC 
> #0  g_slice_free_chain_with_offset (mem_size=16, mem_chain=<value optimized
>  out>, next_offset=8) at gslice.c:942
>        current = 0x2ba47 <Address 0x2ba47 out of bounds>

Failure to free a GSList like that smells like heap corruption - and this crash in glib2's memory slice deallocator just being a side-effect. [Note that some bug reporters also see crashes in glibc's malloc, affecting various parts of Claws Mail.]


imap.c:
  3377          g_slist_free(IMAP_FOLDER_ITEM(item)->ok_flags);
  3378          IMAP_FOLDER_ITEM(item)->ok_flags = NULL;

^ This makes a double-free unlikely, IMO.


etpan/imap.c:
  1427                  GSList *t_flags = NULL;
...
  1471                                  if (c_flag != 0) {
  1472                                          t_flags = g_slist_prepend(t_flag
s, 
  1473                                                  GUINT_TO_POINTER(c_flag)
);
  1474                                  }
  1475                          }
  1476                  }
  1477                  if (ok_flags)
  1478                          *ok_flags = t_flags;
  1479          }

^ This is where it created and filled the GSList.
Comment 3 Fedora End Of Life 2012-08-16 12:06:31 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping