[neomutt-devel] [PATCH] Fix crash when editing message

Jules Maselbas jmaselbas at kalray.eu
Tue Apr 23 12:45:07 CEST 2019 

In some cases bail is jumped to before fp being initialized,
this lead to a segmentation fault when closing the file fp.

Signed-off-by: Jules Maselbas <jmaselbas at kalray.eu>
--- 8< ---
Steps to reproduce:
1. open mailbox
2. edit a mail
3. quit without changing anything
4. crash with segmentation fault

Output:
---NeoMutt:
Message not modified
Program received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0  0x00007ffff66e3eed in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#1  0x00000000004bd228 in mutt_file_fclose (fp=fp at entry=0x7fffffff8d98) at mutt/file.c:155
#2  0x000000000041ffb9 in ev_message (action=action at entry=EVM_EDIT, m=m at entry=0x89b2f0, e=<optimized out>) at editmsg.c:235
#3  0x00000000004206be in mutt_ev_message (m=0x89b2f0, el=el at entry=0x7fffffffb590, action=action at entry=EVM_EDIT) at editmsg.c:270
#4  0x000000000042dabf in mutt_index_menu () at index.c:3115
#5  0x0000000000408b70 in main (argc=1, argv=<optimized out>, envp=<optimized out>) at main.c:1220
------------------------------------------
NeoMutt 20180716-1344-11488f
System: Linux 3.10.0-957.10.1.el7.x86_64 (x86_64)
ncurses: ncurses 5.9.20130511 (compiled with 5.9.20130511)
libidn: 1.28 (compiled with 1.28)
hcache backends: lmdb
cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
------------------------------------------
 editmsg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/editmsg.c b/editmsg.c
index b6679971c..530e86fe5 100644
--- a/editmsg.c
+++ b/editmsg.c
@@ -129,6 +129,7 @@ static int ev_message(enum EvMessage action, struct Mailbox *m, struct Email *e)
 
   /* Do not reuse the stat sb here as it is outdated. */
   time_t mtime = mutt_file_decrease_mtime(fname, NULL);
+  FILE *fp = NULL;
 
   mutt_edit_file(NONULL(C_Editor), fname);
 
@@ -167,7 +168,7 @@ static int ev_message(enum EvMessage action, struct Mailbox *m, struct Email *e)
     goto bail;
   }
 
-  FILE *fp = fopen(fname, "r");
+  fp = fopen(fname, "r");
   if (!fp)
   {
     rc = -1;
-- 
2.21.0.196.g041f5ea

More information about the neomutt-devel mailing list