The sieve plugin for Thundirbird likes to rapidly compile work in
progress sieve scripts to continually give feedback on any errors in the
script. This can trigger segmentation faults in lib-sieve with certain
pathologically incomplete sieve scripts. One example:
#0 tag_comparator_validate (valdtr=0x7f291aa713a0, arg=0x7fff5c3cfa58,
cmd=0x7f291aa69360) at sieve-comparators.c:143
143 if ( (*arg)->type != SAAT_STRING ) {
Missing separate debuginfos, use: debuginfo-install
bzip2-libs-1.0.6-12.el7.x86_64 glibc-2.17-55.el7_0.3.x86_64
sssd-client-1.11.2-68.el7_0.6.x86_64 zlib-1.2.7-13.el7.x86_64
(gdb) list
138 *arg = sieve_ast_argument_next(*arg);
139
140 /* Check syntax:
141 * ":comparator"
142 */
143 if ( (*arg)->type != SAAT_STRING ) {
144 sieve_argument_validate_error(valdtr, *arg,
145 ":comparator tag requires one string argument, but %s was found",
146 sieve_ast_argument_name(*arg) );
147 return FALSE;
(gdb) print arg
$1 = (struct sieve_ast_argument **) 0x7fff5c3cfa58
(gdb) print *arg
$2 = (struct sieve_ast_argument *) 0x0
So sieve_ast_argument_next() is returning NULL and we're trying to
dereference it without checking.
Here's a completely naive attempt at a patch:
---
dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c.null
2014-01-01 15:46:39.000000000 -0700
+++
dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c
2014-12-29 14:01:00.233436697 -0700
@@ -140,6 +140,11 @@ static bool tag_comparator_validate
/* Check syntax:
* ":comparator"
*/
+ if ( *arg == NULL ) {
+ sieve_argument_validate_error(valdtr, *arg,
+ ":comparator tag requires one string argument, but none was found");
+ return FALSE;
+ }
if ( (*arg)->type != SAAT_STRING ) {
sieve_argument_validate_error(valdtr, *arg,
":comparator tag requires one string argument, but %s was found",
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com