evolution crashed with SIGSEGV in imap_parse_body()

StacktraceTop:
 imap_body_decode (in=0x7f72777fdbc8, ci=0x10a4c80,
 imap_body_decode (in=0x7f72777fdc18, ci=0x10a4880,
 imap_parse_body (body_p=0x7f72777fdc90,
 imap_get_message (folder=0xe9f9b0,
 camel_folder_get_message (folder=0xe9f9b0,

is this still an issue with latest package there?

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

The problem is still present with current evolution
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb151cb70 (LWP 8011)]
0x02ac2ea5 in imap_body_decode (in=<value optimised out>, ci=0x88184e0, folder=0x838f460, cis=0x86a3e48)
    at camel-imap-utils.c:928
928 camel-imap-utils.c: No such file or directory.
 in camel-imap-utils.c
(gdb) bt
#0 0x02ac2ea5 in imap_body_decode (in=<value optimised out>, ci=0x88184e0, folder=0x838f460, cis=0x86a3e48)
    at camel-imap-utils.c:928
#1 0x02ac32fc in imap_parse_body (body_p=0xb151c168, folder=0x838f460, ci=0x88184e0) at camel-imap-utils.c:1114
#2 0x02ab2982 in imap_get_message (folder=0x838f460, uid=0x8653950 "171290", ex=0x8660104) at camel-imap-folder.c:2998
#3 0x00341a26 in camel_folder_get_message (folder=0x838f460, uid=0x8653950 "171290", ex=0x8660104)
    at camel-folder.c:1121

Here's the gdb output - crash still occurs for me:

Starting program: /usr/bin/evolution
[Thread debugging using libthread_db enabled]
[New Thread 0xb7de9b70 (LWP 17643)]
[Thread 0xb7de9b70 (LWP 17643) exited]
[New Thread 0xb7de9b70 (LWP 17644)]
[New Thread 0xb75e8b70 (LWP 17645)]
[New Thread 0xb6bffb70 (LWP 17646)]
[New Thread 0xb63feb70 (LWP 17647)]
[New Thread 0xb5bfdb70 (LWP 17648)]
[New Thread 0xb53fcb70 (LWP 17649)]
[Thread 0xb53fcb70 (LWP 17649) exited]
[New Thread 0xb53fcb70 (LWP 17650)]
[New Thread 0xb402bb70 (LWP 17651)]
[New Thread 0xb382ab70 (LWP 17652)]
[New Thread 0xb3029b70 (LWP 17653)]
[New Thread 0xb271db70 (LWP 17654)]
[Thread 0xb382ab70 (LWP 17652) exited]
[Thread 0xb6bffb70 (LWP 17646) exited]
[Thread 0xb271db70 (LWP 17654) exited]
[New Thread 0xb271db70 (LWP 17658)]
[New Thread 0xb6bffb70 (LWP 17659)]
[New Thread 0xb382ab70 (LWP 17660)]
[Thread 0xb6bffb70 (LWP 17659) exited]
[Thread 0xb402bb70 (LWP 17651) exited]
[New Thread 0xb402bb70 (LWP 17661)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb402bb70 (LWP 17661)]
0x02ad5ea5 in ?? ()
   from /usr/lib/evolution-data-server-1.2/camel-providers/libcamelimap.so

Thread 17 (Thread 0xb402bb70 (LWP 17661)):
#0 0x02ad5ea5 in ?? ()
   from /usr/lib/evolution-data-server-1.2/camel-providers/libcamelimap.so
#1 0x02ad62fc in imap_parse_body ()
   from /usr/lib/evolution-data-server-1.2/camel-providers/libcamelimap.so
#2 0x02ac5982 in ?? ()
   from /usr/lib/evolution-data-server-1.2/camel-providers/libcamelimap.so
#3 0x00341a26 in camel_folder_get_message ()
   from /usr/lib/libcamel-provider-1.2.so.14
#4 0x026b7fe3 in ?? ()
   from /usr/lib/evolution/2.28/libevolution-mail-shared.so.0
#5 0x026bcaa0 in ?? ()
   from /usr/lib/evolution/2.28/libevolution-mail-shared.so.0
#6 0x0166cd0c in ?? () from /lib/libglib-2.0.so.0
#7 0x0166adef in ?? () from /lib/libglib-2.0.so.0
#8 0x0086096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#9 0x0179ca4e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 16 (Thread 0xb382ab70 (LWP 17660)):
#0 0x0012d422 in __kernel_vsyscall ()
#1 0x00865342 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
#2 0x015f30ce in ?? () from /usr/lib/libgthread-2.0.so.0
#3 0x0161abbc in ?? () from /lib/libglib-2.0.so.0
#4 0x0166cd53 in ?? () from /lib/libglib-2.0.so.0
#5 0x0166adef in ?? () from /lib/libglib-2.0.so.0
#6 0x0086096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#7 0x0179ca4e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 14 (Thread 0xb271db70 (LWP 17658)):
#0 0x0012d422 in __kernel_vsyscall ()
#1 0x00865342 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
#2 0x015f30ce in ?? () from /usr/lib/libgthread-2.0.so.0
#3 0x0161abbc in ?? () from /lib/libglib-2.0.so.0
#4 0x0166cd53 in ?? () from /lib/libglib-2.0.so.0
#5 0x0166adef in ?? () from /lib/libglib-2.0.so.0
#6 0x0086096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#7 0x0179ca4e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 12 (Thread 0xb3029b70 (LWP 17653)):
#0 0x0012d422 in __kernel_vsyscall ()
#1 0x00865015 in pthread_...

More debug info. I built debug version of evolution-data-server from source.
cd evolution-data-server-2.28.3.1
DEB_BUILD_OPTIONS=nostrip,noopt dpkg-buildpackage -rfakeroot -uc -us
dpkg -i

camel-imap-utils.c line 715
imap_parse_string_generic(&str_p,...) (and therefore imap_parse_string()) can set str_p to NULL!

This is called from imap_body_decode(), where it returns NULL AND sets inptr to NULL
Then, a little further on at line 928, inptr is dereferenced :(

line 918
  if (g_ascii_strncasecmp (inptr, "nil", 3) != 0) {
   subtype = imap_parse_string (&inptr, &len);
  } else {
   subtype = NULL;
   inptr += 3;
  }

  ctype = camel_content_type_new ("multipart", subtype ? subtype : "mixed");
  g_free (subtype);

line 928:
  if (*inptr++ != ')') {
   camel_content_type_unref (ctype);
   return NULL;
  }

So, I can see there is a bug, just guessing here...
every other call to imap_parse_string() is followed by
 if (inptr == NULL)
  return NULL;

Maybe adding it to this one will fix the issue.
...
Works for me!

Seems fixed in 10.10 (Evo 2.30)

could somebody else confirm that it is fixed on Maverick now?

closing this bug as fixed released. if anyone still faces this issue in Ubuntu 10.10 feel free to open this bug again by setting the status to 'new'

This bug was raised against 10.04 LTS. Can you point me to when/were it was fixed in 10.04?
If it is not present in 10.10 in a different version of Evolution, great, but that doesn't magically fix it in 10.04.
If it isn't fixed in 10.04, then for me, it isn't fixed.

Eliot, can you try to reproduce this bug with evolution 2.30.3 from this ppa https://launchpad.net/~jacob/+archive/evo230 so that when we send this bug upstream we have the problem tested against a later version than 2.28.3 even though the latest version of evolution is 2.32 but I cant find any ppa for that version :(

@Omer

This particular bug appears to have been fixed in evolution git:
Bug 520233 - Crash in imap_body_decode at camel-imap-utils.c:979

http://git.gnome.org/browse/evolution-data-server/commit/?id=500e0e9efd733f5e4f0923d657e2d0ed0e1dd5a5

So, I expect 10.10 is fine, would still hope to see 10.04 patched...

ok I guess the fix should be backported for Lucid then.

I backported the patch from upstream and uploaded to lucid-proposed.

Accepted evolution-data-server into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Eliot, please let us know if this package fixes the problem for you.

I tried to reproduce the Evolution crash. I configured the gmail imap account, and next import eml and mbox mails.
Here is the links to that mails which couse the crash:
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/579114/+attachment/1387680/+files/evolution_segfault.eml
https://bugzilla.gnome.org/attachment.cgi?id=130782

Unfortunately I can't reproduce this bug.

EliotBlennerhassett, could you please confirm whether the evolution-data-server package in lucid-proposed fixes this for you? The package has been awaiting verification for 400 days so that it can be published for the benefit of our other 10.04 users affected by this bug.

If no one verifies the bug, the package will be withdrawn again from lucid-proposed.

Steve Langasek

I have changed employers, and no longer have access to the IMAP server containing messages that definitely caused the crash.

I can confirm that on my currently accessible mail servers, I don't get a crash when browsing my mail. However, this isn't proof that the bug is fixed, but I'd say it probably is.

I imported the two emails mentioned by Bartosz, I can confirm they don't cause a crash.

So, yes, I'd say the fix is verified.

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".