[Dovecot] dovecot-1.1.rc3 segmentation fault in fetch_bodystructure

[Diego Liziero]

Hi,
another imap crash with latest dovecot.

segmentation fault in fetch_bodystructure

src/imap/imap-fetch.c
static int fetch_bodystructure(struct imap_fetch_context *ctx,
                               struct mail *mail, void *context ATTR_UNUSED)
{
        const char *bodystructure;

        if (mail_get_special(mail, MAIL_FETCH_IMAP_BODYSTRUCTURE,
                             &bodystructure) < 0)
                return -1;

---> before the segfault here we have bodystructure=0 and
mail_get_special returns >=0
[..]

        if (o_stream_send(ctx->client->output, "BODYSTRUCTURE (", 15) < 0 ||
/*line 461*/      o_stream_send_str(ctx->client->output, bodystructure) < 0 ||

---> here o_stream_send_str calls strlen(bodystructure=0), and strlen
tries to access "Address 0x0" causing a segfault

--
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV): dumping core
 Access not within mapped region at address 0x0
   at: strlen
   by: o_stream_send_str (ostream.c:163)
   by: fetch_bodystructure (imap-fetch.c:461)
   by: imap_fetch (imap-fetch.c:309)
   by: cmd_fetch (cmd-fetch.c:154)
   by: client_command_input (client.c:546)
   by: client_command_input (client.c:595)
   by: client_handle_input (client.c:636)
   by: client_input (client.c:691)
   by: io_loop_handler_run (ioloop-epoll.c:201)
   by: io_loop_run (ioloop.c:301)
   by: main (main.c:293)