Ubuntu
evolution package

evolution crashes when trying to forward email with strange subject encoding

Bug #16000 reported by Allison Karlitskaya
16
Affects Status Importance Assigned to Milestone
evolution (Ubuntu)
Fix Released
Medium
Sebastien Bacher

Bug Description

** Filed upstream as bug #300679 **

From <email address hidden> Thu Apr 14 08:28:24 2005
From: "Outlook User" <email address hidden>
To: anyone <nobody@nowhere>
Subject: =?Windows-1252?Q?Fw:_An_Evil_Subject=85?=
Date: Thu, 14 Apr 2005 08:31:13 -0400
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441

This message causes evolution to crash on forwarding.

If you put the above data into a mbox file and import it into Evolution you
should import a single message. If you go to it and click "Forward" evolution
crashes.

The crash appears to be related to the strange =?Windows-1252?Q? encoding in the
subject line. If you take this away, the crash no longer occurs.

Evolution is Ubuntu-packaged 2.2.1.1.

Here's the important part of the trace from gdb:

#4 <signal handler called>
#5 0xb7a786e9 in strcasecmp () from /lib/tls/i686/cmov/libc.so.6
#6 0xb7ed2d2d in camel_header_format_ctext () from
/usr/lib/libcamel-1.2.so.0
#7 0xb7ed3151 in camel_header_encode_string ()
   from /usr/lib/libcamel-1.2.so.0
#8 0xb7ed0392 in camel_mime_part_set_description ()
   from /usr/lib/libcamel-1.2.so.0
#9 0xb67bb7f7 in mail_tool_make_message_attachment ()
   from /usr/lib/evolution/2.2/components/libevolution-mail.so
#10 0xb67b4740 in mail_get_folderinfo ()
   from /usr/lib/evolution/2.2/components/libevolution-mail.so
#11 0xb67b58ae in mail_get_message ()
   from /usr/lib/evolution/2.2/components/libevolution-mail.so
#12 0xb67b07ac in mail_cancel_all ()
   from /usr/lib/evolution/2.2/components/libevolution-mail.so
#13 0xb6cd5eb1 in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#14 0xb6cb2d0f in g_main_depth () from /usr/lib/libglib-2.0.so.0
#15 0xb6cb3cb5 in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#16 0xb6cb3fd7 in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#17 0xb6cb451e in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#18 0xb745f6f3 in bonobo_main () from /usr/lib/libbonobo-2.so.0
#19 0x08066e8c in main ()

Cheers

http://bugzilla.gnome.org/show_bug.cgi?id=114215: http://bugzilla.gnome.org/show_bug.cgi?id=114215

See original description
Revision history for this message
Allison Karlitskaya (desrt) wrote :

Created an attachment (id=2120)
duct tape fix

Ok. As mentioned upstream, the problem is due to a function returned an
unchecked NULL, and then that NULL being passed to another function which
passes it directly to strcasecmp.

Here's a duct tape fix to check for non-NULL before strcasecmp is called. It's
not the best fix, but it's made with the aim of changing as little as humanly
possible (as not to introduce new bugs). I'm posting the patch here instead of
upstream for this reason (since upstream will probably want to fix it
properly).

The only case in with the behaviour of the program changes (at all) is the
where 'type' is NULL (in which case the program used to crash) so I think this
patch is 100% regression-free.

Revision history for this message
Sebastien Bacher (seb128) wrote :

right, crashes here too

Revision history for this message
Sebastien Bacher (seb128) wrote :

this upload fixes the crash, thanks for the patch:

 evolution-data-server (1.2.2-2ubuntu2) breezy; urgency=low
 .
   * debian/patches/05_encodingcrashfix.patch:
     - patch from Ryan Lortie <email address hidden> to not crash when forwarding
       an email with a broken encoding.

Revision history for this message
Sebastien Bacher (seb128) wrote :

*** Bug 21723 has been marked as a duplicate of this bug. ***

Revision history for this message
Albert Vilella (avilella) wrote :
Download full text (10.5 KiB)

Happens to me also, in this case with an email send from:

User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)

with subject:

Subject: Re: nou set =?UTF-8?B?77+9?=

Here the bt:

Backtrace was generated from '/usr/bin/evolution'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
`system-supplied DSO at 0xffffe000' has disappeared; keeping its
symbols.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1229464736 (LWP 9124)]
[New Thread -1281451088 (LWP 9139)]
[New Thread -1271350352 (LWP 9136)]
[New Thread -1262625872 (LWP 9134)]
[New Thread -1254233168 (LWP 9133)]
[New Thread -1245840464 (LWP 9131)]
[New Thread -1236902992 (LWP 9129)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.