From: Todd <todd@electricoding.com>
Date: Sat, 17 Jan 2015 15:51:46 +0000 (+1800)
Subject: [PATCH v1 2/2] lib: Fix use after free
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=32f3895ca43c316410876a6be24e895d48f6950a;p=notmuch-archives.git

[PATCH v1 2/2] lib: Fix use after free
---

diff --git a/b0/6e3403d1261ee0e59495db34c773ba3fb835cc b/b0/6e3403d1261ee0e59495db34c773ba3fb835cc
new file mode 100644
index 000000000..5b3beb3ca
--- /dev/null
+++ b/b0/6e3403d1261ee0e59495db34c773ba3fb835cc
@@ -0,0 +1,107 @@
+Return-Path: <todd@electricoding.com>
+X-Original-To: notmuch@notmuchmail.org
+Delivered-To: notmuch@notmuchmail.org
+Received: from localhost (localhost [127.0.0.1])
+	by olra.theworths.org (Postfix) with ESMTP id 0F739431FC2
+	for <notmuch@notmuchmail.org>; Sat, 17 Jan 2015 07:52:33 -0800 (PST)
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
+X-Spam-Flag: NO
+X-Spam-Score: 2.438
+X-Spam-Level: **
+X-Spam-Status: No, score=2.438 tagged_above=-999 required=5
+	tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled
+Received: from olra.theworths.org ([127.0.0.1])
+	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
+	with ESMTP id 2j-YysQZrD1X for <notmuch@notmuchmail.org>;
+	Sat, 17 Jan 2015 07:52:29 -0800 (PST)
+Received: from s75.web-hosting.com (s75.web-hosting.com [198.187.31.9])
+	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by olra.theworths.org (Postfix) with ESMTPS id 2C6A5431FD7
+	for <notmuch@notmuchmail.org>; Sat, 17 Jan 2015 07:52:26 -0800 (PST)
+Received: from user-69-73-37-128.knology.net ([69.73.37.128]:46357
+	helo=localhost.localdomain)
+	by server75.web-hosting.com with esmtpsa (UNKNOWN:AES128-SHA256:128)
+	(Exim 4.82) (envelope-from <todd@electricoding.com>)
+	id 1YCVfl-00164v-Ap; Sat, 17 Jan 2015 10:52:25 -0500
+From: Todd <todd@electricoding.com>
+To: notmuch@notmuchmail.org
+Subject: [PATCH v1 2/2] lib: Fix use after free
+Date: Sat, 17 Jan 2015 09:51:46 -0600
+Message-Id: <1421509906-2153-3-git-send-email-todd@electricoding.com>
+X-Mailer: git-send-email 1.9.1
+In-Reply-To: <1421509906-2153-1-git-send-email-todd@electricoding.com>
+References: <1421509906-2153-1-git-send-email-todd@electricoding.com>
+X-AntiAbuse: This header was added to track abuse,
+	please include it with any abuse report
+X-AntiAbuse: Primary Hostname - server75.web-hosting.com
+X-AntiAbuse: Original Domain - notmuchmail.org
+X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
+X-AntiAbuse: Sender Address Domain - electricoding.com
+X-Get-Message-Sender-Via: server75.web-hosting.com: authenticated_id:
+	todd@electricoding.com
+X-Source: 
+X-Source-Args: 
+X-Source-Dir: 
+X-BeenThere: notmuch@notmuchmail.org
+X-Mailman-Version: 2.1.13
+Precedence: list
+List-Id: "Use and development of the notmuch mail system."
+	<notmuch.notmuchmail.org>
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>
+List-Post: <mailto:notmuch@notmuchmail.org>
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
+	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
+X-List-Received-Date: Sat, 17 Jan 2015 15:52:33 -0000
+
+_thread_set_subject_from_message sometimes replaces the subject, making the
+cur_subject point to free'd memory
+
+==6550== ERROR: AddressSanitizer: heap-use-after-free on address 0x601a0000bec0 at pc 0x4464a4 bp 0x7fffa40be910 sp 0x7fffa40be908
+READ of size 1 at 0x601a0000bec0 thread T0
+    #0 0x4464a3 in _thread_add_matched_message /home/todd/.apps/notmuch/lib/thread.cc:369
+    #1 0x443c2c in notmuch_threads_get /home/todd/.apps/notmuch/lib/query.cc:496
+    #2 0x41d947 in do_search_threads /home/todd/.apps/notmuch/notmuch-search.c:131
+    #3 0x40a3fe in main /home/todd/.apps/notmuch/notmuch.c:345
+    #4 0x7f4e535b4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
+    #5 0x40abe6 in _start ??:?
+0x601a0000bec0 is located 96 bytes inside of 134-byte region [0x601a0000be60,0x601a0000bee6)
+freed by thread T0 here:
+    #0 0x7f4e54e6933a in __interceptor_free ??:?
+    #1 0x7f4e54482fab in _talloc_free ??:?
+previously allocated by thread T0 here:
+    #0 0x7f4e54e6941a in malloc ??:?
+    #1 0x7f4e54485b5d in talloc_strdup ??:?
+---
+ lib/thread.cc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/thread.cc b/lib/thread.cc
+index 4c49f98..9847cf8 100644
+--- a/lib/thread.cc
++++ b/lib/thread.cc
+@@ -353,10 +353,8 @@ _thread_add_matched_message (notmuch_thread_t *thread,
+ {
+     time_t date;
+     notmuch_message_t *hashed_message;
+-    const char *cur_subject;
+ 
+     date = notmuch_message_get_date (message);
+-    cur_subject = notmuch_thread_get_subject(thread);
+ 
+     if (date < thread->oldest || ! thread->matched_messages) {
+ 	thread->oldest = date;
+@@ -366,6 +364,7 @@ _thread_add_matched_message (notmuch_thread_t *thread,
+ 
+     if (date > thread->newest || ! thread->matched_messages) {
+ 	thread->newest = date;
++	const char *cur_subject = notmuch_thread_get_subject(thread);
+ 	if (sort != NOTMUCH_SORT_OLDEST_FIRST || EMPTY_STRING(cur_subject))
+ 	    _thread_set_subject_from_message (thread, message);
+     }
+-- 
+1.9.1
+