Bug 3146 - Memory corruption when deleting a message from folder
Summary: Memory corruption when deleting a message from folder
Status: VERIFIED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Folders/IMAP (show other bugs)
Version: 3.9.3
Hardware: PC Linux
: P3 critical
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2014-04-19 20:58 UTC by Aleksander Mazur
Modified: 2014-04-27 08:22 UTC (History)
0 users

See Also:


Attachments

Description Aleksander Mazur 2014-04-19 20:58:56 UTC
Using claws-mail-3.9.3-1.fc20.i686
1. Click on a newly received e-mail to open it
2. Press "delete" immediately

==00:00:35:22.984 1629== Thread 1:
==00:00:35:23.031 1629== Invalid write of size 4
==00:00:35:23.031 1629==    at 0x80ECB8F: imap_change_flags (imap.c:4876)
==00:00:35:23.031 1629==    by 0x80CD4CF: folder_item_change_msg_flags (folder.c:3888)
==00:00:35:23.031 1629==    by 0x819DA09: procmsg_msginfo_unset_flags (procmsg.c:2057)
==00:00:35:23.031 1629==    by 0x81B4A4E: summary_msginfo_unset_flags (summaryview.c:3438)
==00:00:35:23.031 1629==    by 0x81B9EDB: msginfo_mark_as_read (summaryview.c:3523)
==00:00:35:23.031 1629==    by 0x81B9F9C: msginfo_mark_as_read_timeout (summaryview.c:3541)
==00:00:35:23.031 1629==    by 0x48066261: g_timeout_dispatch (gmain.c:4451)
==00:00:35:23.031 1629==    by 0x48065555: g_main_context_dispatch (gmain.c:3066)
==00:00:35:23.031 1629==    by 0x4806591F: g_main_context_iterate.isra.23 (gmain.c:3713)
==00:00:35:23.031 1629==    by 0x480659E8: g_main_context_iteration (gmain.c:3774)
==00:00:35:23.032 1629==    by 0x4372D981: gtk_main_iteration (gtkmain.c:1345)
==00:00:35:23.032 1629==    by 0x822E5D4: threaded_run (imap-thread.c:440)
==00:00:35:23.032 1629==  Address 0x451911c is 28 bytes inside a block of size 128 free'd
==00:00:35:23.032 1629==    at 0x4007BCD: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==00:00:35:23.032 1629==    by 0x4806B631: g_free (gmem.c:197)
==00:00:35:23.032 1629==    by 0x81BEAFE: summary_execute (summaryview.c:5130)
==00:00:35:23.032 1629==    by 0x81C26EF: summary_move_selected_to (summaryview.c:4570)
==00:00:35:23.032 1629==    by 0x81C2883: summary_delete_trash (summaryview.c:4450)
==00:00:35:23.032 1629==    by 0x81D05AA: toolbar_trash_cb (toolbar.c:1148)
==00:00:35:23.032 1629==    by 0x48187548: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)
==00:00:35:23.032 1629==    by 0x48185A25: _g_closure_invoke_va (gclosure.c:840)
==00:00:35:23.032 1629==    by 0x4819FA82: g_signal_emit_valist (gsignal.c:3238)
==00:00:35:23.032 1629==    by 0x481A0B80: g_signal_emit_by_name (gsignal.c:3426)
==00:00:35:23.032 1629==    by 0x438264EB: button_clicked (gtktoolbutton.c:773)
==00:00:35:23.033 1629==    by 0x48187548: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)

While program hasn't crashed immediately, each such a heap corruption (invalid write) may lead to a crash during one of following calls to malloc(), like in bug 3145.
Comment 1 Colin Leroy 2014-04-20 08:23:58 UTC
Thanks, interesting find. It seems to be due to the delayed mark-as-read kicking in despite, and after, the deletion.
Comment 2 users 2014-04-21 08:02:46 UTC
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-04-21 10:02:04.033851311 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=2588900ab245eec48f5ccc915b29581997038d6a
Merge: e857a07 7445f4f
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 10:02:03 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=7445f4f8674ea0a02e4baff42342b0d9f7754114
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 10:01:39 2014 +0200

    Fix bug #3150, "etpan_certificate_check() leaks memory"

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=46063c48ccc0d379e546946563e5047775d62640
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 10:00:55 2014 +0200

    Fix bug #3148, "Logic error in claws_get_socket_name()"

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=f933992350613b35e5181fee532f1415e166fefb
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 10:00:25 2014 +0200

    Fix bug #3147, "verify_folderlist_xml() leaks memory"

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e240402b874071ffafe74aaffe60c177cb798567
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 09:59:11 2014 +0200

    Fix bug #3146, "Memory corruption when deleting a message from folder"
    Reference msginfo before passing to the mark_as_read_timeout deferred
    callback.

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=f69b3bab9d66372a56e19867f458c3012aefd141
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 09:57:52 2014 +0200

    Fix bug #3145, "Memory corruption in imap_disconnect_all"

Note You need to log in before you can comment on or make changes to this bug.