Hi Albrecht: On 06/17/2019 12:33:42 PM Mon, Albrecht Dreß wrote:
Hi all, a reproducible crash occurs with the latest master version: 1. create a VCard address book, and configure it to resolve addresses while typing; 2. open the editor and add an entry with *only* display name and email address being set; 3. opening the composer and typing in the To: fields leads to a segfault: <snip> Thread 1 "balsa" received signal SIGSEGV, Segmentation fault. 0x00005555555f22c6 in is_real_name (name=0xa700000467 <error: Cannot access memory at address 0xa700000467>) at address.c:124 124 return name != NULL && name[0] != '\0'; </snip> The crash is apparently caused by a too short array created in libbalsa/address.c, function libbalsa_address_extract_name(), line 136 – in the case above, it contains only two valid plus a terminating NULL item, whereas the code expects (at least) 5. The attached simple patch ensures that the array contains always 5 items. Best, Albrecht.
Thanks for the patch! Pushed to GitLab. The bug was introduced in commit ce89dfa3610c4d9bf7d36967f49f72c64b51abb1; I was fixing some false positives (NULL dereference) from scan-build, and removed the checks that prevented dereferencing beyond the end of the array! There's a deeper issue in libbalsa_address_extract_name(): it assumes that the GStrv returned by vcard_strsplit() has last name, first name, middle name, prefix, and suffix in specific positions in the array, but I don't see any basis for that assumption. Perhaps it always just works--not sure! Best, Peter
Attachment:
pgp_x92408d1W.pgp
Description: PGP signature