search

karelzak / mutt-kz

mutt-kz is DEPRECATED in favor of neomutt project.
https://neomutt.org
Other
296 stars 51 forks source link

use-after-free in sidebar.c #43

Closed kholia closed 11 years ago

kholia commented 11 years ago 
==14975==ERROR: AddressSanitizer: heap-use-after-free on address ...
READ of size 12 at 0x6040003611a9 thread T0
    #0 0x42cc15 in strlen ??:?
    #1 0x8763b5 in draw_sidebar /home/user/repos/mutt-kz/sidebar.c:340
    #2 0x50a9b8 in mutt_index_menu /scratch/repos/mutt-kz/curs_main.c:607
    #3 0x631d1d in main /scratch/repos/mutt-kz/main.c:1056
    #4 0x3193c21a04 in ?? ??:0
    #5 0x43cd2c in _start ??:?
0x6040003611a9 is located 25 bytes inside of 37-byte region ...
freed by thread T0 here:
    #0 0x42ebe4 in free ??:?
    #1 0x87510e in draw_sidebar /home/user/repos/mutt-kz/sidebar.c:304
    #2 0x50a9b8 in mutt_index_menu /scratch/repos/mutt-kz/curs_main.c:607
    #3 0x631d1d in main /scratch/repos/mutt-kz/main.c:1056
    #4 0x3193c21a04 in ?? ??:0
previously allocated by thread T0 here:
    #0 0x42ecc4 in __interceptor_malloc ??:?
    #1 0x3193c85d71 in ?? ??:0

Problematic code from sidebar.c

https://github.com/karelzak/mutt-kz/blob/master/sidebar.c#L302 https://github.com/karelzak/mutt-kz/blob/master/sidebar.c#L339

               base_name = basename(safe_path);
               free(safe_path);
               ...
                       if (sidebar_folder_depth + strlen(base_name) ...

"man 3 basename" says 


char *basename(char *path);

DESCRIPTION
       ...
       These  functions may return pointers to statically allocated memory which may
       be overwritten by subsequent calls.  Alternatively, they may return a pointer
       to  some  part  of path, so that the string referred to by path should not be
       modified or freed until the pointer returned by the  function  is  no  longer
       required.

Commenting out "free(safe_path);" line is a temporary workaround which works.

I am running Fedora 18 64-bit.

pjps commented 11 years ago

Glibc basename(3) returns pointer to/within the safe_path -> http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=string/basename.c;hb=HEAD

karelzak commented 11 years ago

All the stuff around basename seems unnecessary. Please, git pull -- the problem should be fixed now.