Ubuntu
evolution package

Evolution crashes (SIGSEGV) in em_format_set_inline() when decrypting a message

Bug #118323 reported by Philip Belemezov
2
Affects Status Importance Assigned to Milestone
evolution (Ubuntu)
Invalid
Medium
Ubuntu Desktop Bugs

Bug Description

Assumptions:
a) There is an encrypted message in the Inbox folder.
b) Seahorse is installed
c) GPG is set up so that the encryption of the message in a) is possible
d) The last selected message before evolution was closed was *not* the
   encrypted message
e) Seahorse is set up to cache the passphrase for at least, say, a minute.

Steps to reproduce:
1. Open evolution
2. Click on the encrypted message (see a)).
3. Seahorse asks for the passphrase needed to decrypt the message
4. After the passphrase is entered, evolution displays the message as
   a button with an arrow in it and a text saying "plain text document
   attachment." (see `evo-bug-1.png' in the first attachment).
5. Click on the arrow button (see `evo-bug-1.png'). Seahorse displays a dialog
   (title is "Authorize Passphrase Access" saying that the passphrase is cached
   in memory and asking for authorization to use it (see `evo-bug-2.png' in the
   second attachment).
6. *Without* doing anything with that window (besides moving or minimizing
   it), i.e. don't click anything, click on the arrow button in evolution *again*
   (see `evo-bug-1.png').

Result: evolution crashes with a SIGSEGV in em_format_set_inline().

Please note that if the passphrase is cached, then in step 3 above seahorse
displays the same dialog as in step 5. To reproduce in this case, in step 3
the "Authorize" button must be clicked on the first dialog. Afterwards, flow
continues from step 4.

Segfault in em_format_set_inline()

Stacktrace:
#0 em_format_set_inline (emf=0xffffffff00000000, partid=0xf1bc60 "", state=1)
    at em-format.c:982
#1 0x00002ad7743597da in IA__g_closure_invoke (closure=0xfe5110,
    return_value=0x0, n_param_values=1, param_values=0x7fff3af3d4b0,
    invocation_hint=0x7fff3af3d380) at gclosure.c:490
#2 0x00002ad774369408 in signal_emit_unlocked_R (node=0x8657e0, detail=0,
    instance=0xe19820, emission_return=0x0, instance_and_params=0x7fff3af3d4b0)
    at gsignal.c:2440
#3 0x00002ad77436a843 in IA__g_signal_emit_valist (instance=0xe19820,
    signal_id=<value optimized out>, detail=0, var_args=0x7fff3af3d730)
    at gsignal.c:2199
#4 0x00002ad77436aa13 in IA__g_signal_emit (instance=0xffffffff00000000,
    signal_id=15842400, detail=1) at gsignal.c:2243
#5 0x00002ad772b60689 in gtk_real_button_released (button=0xffffffff00000000)
    at gtkbutton.c:1484
#6 0x00002ad7743597da in IA__g_closure_invoke (closure=0x864090,
    return_value=0x0, n_param_values=1, param_values=0x7fff3af3daa0,
    invocation_hint=0x7fff3af3d970) at gclosure.c:490
#7 0x00002ad77436984d in signal_emit_unlocked_R (node=0x8640e0, detail=0,
    instance=0xe19820, emission_return=0x0, instance_and_params=0x7fff3af3daa0)
    at gsignal.c:2370
#8 0x00002ad77436a843 in IA__g_signal_emit_valist (instance=0xe19820,
    signal_id=<value optimized out>, detail=0, var_args=0x7fff3af3dd20)
    at gsignal.c:2199
#9 0x00002ad77436aa13 in IA__g_signal_emit (instance=0xffffffff00000000,
    signal_id=15842400, detail=1) at gsignal.c:2243
#10 0x00002ad772b5ef09 in gtk_button_button_release (
    widget=0xffffffff00000000, event=0xf1bc60) at gtkbutton.c:1377
#11 0x00002ad772c1c68d in _gtk_marshal_BOOLEAN__BOXED (closure=0x712680,
    return_value=0x7fff3af3dfd0, n_param_values=<value optimized out>,
    param_values=0x7fff3af3e0c0, invocation_hint=<value optimized out>,
    marshal_data=0x2ad772b5eef0) at gtkmarshalers.c:84
#12 0x00002ad7743597da in IA__g_closure_invoke (closure=0x712680,
    return_value=0x7fff3af3dfd0, n_param_values=2,
    param_values=0x7fff3af3e0c0, invocation_hint=0x7fff3af3df90)
    at gclosure.c:490
#13 0x00002ad774369a18 in signal_emit_unlocked_R (node=0x7126f0, detail=0,
    instance=0xe19820, emission_return=0x7fff3af3e2e0,
    instance_and_params=0x7fff3af3e0c0) at gsignal.c:2478
#14 0x00002ad77436a617 in IA__g_signal_emit_valist (instance=0xe19820,
    signal_id=<value optimized out>, detail=0, var_args=0x7fff3af3e340)
    at gsignal.c:2209
#15 0x00002ad77436aa13 in IA__g_signal_emit (instance=0xffffffff00000000,
    signal_id=15842400, detail=1) at gsignal.c:2243
#16 0x00002ad772d1a13e in gtk_widget_event_internal (widget=0xe19820,
    event=0x972250) at gtkwidget.c:3915
#17 0x00002ad772c15c7d in IA__gtk_propagate_event (widget=0xe19820,
    event=0x972250) at gtkmain.c:2364
#18 0x00002ad772c16c91 in IA__gtk_main_do_event (event=0x972250)
    at gtkmain.c:1598
#19 0x00002ad7733fe45c in gdk_event_dispatch (source=<value optimized out>,
    callback=<value optimized out>, user_data=<value optimized out>)
    at gdkevents-x11.c:2318
#20 0x00002ad7745bfa14 in IA__g_main_context_dispatch (context=0x664860)
    at gmain.c:2045
#21 0x00002ad7745c285d in g_main_context_iterate (context=0x664860, block=1,
    dispatch=1, self=<value optimized out>) at gmain.c:2677
#22 0x00002ad7745c2b6a in IA__g_main_loop_run (loop=0x692ac0) at gmain.c:2881
#23 0x00002ad771fc43c6 in bonobo_main () at bonobo-main.c:311
#24 0x0000000000418142 in main (argc=1, argv=0x7fff3af3e898) at main.c:611

In #0, obviously there's something wrong with `emf'. Naturally:
(gdb) p *emf
Cannot access memory at address 0xffffffff00000000

(gdb) display partid
1: partid = 0xf1bc60 ""

`partid' seems to be fine, though.

Stacktrace for all threads:

(gdb) thread apply all bt

Thread 16 (Thread 1166059840 (LWP 6576)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc30,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 15 (Thread 1157667136 (LWP 6575)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc60,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 14 (Thread 1132489024 (LWP 6574)):
#0 0x00002b57f53a58c6 in poll () from /lib/libc.so.6
#1 0x00002b57f389f1fc in ?? () from /usr/lib/libcamel-provider-1.2.so.10
#2 0x00002b57f38a0557 in ?? () from /usr/lib/libcamel-provider-1.2.so.10
#3 0x00002b57f388af21 in camel_cipher_decrypt ()
   from /usr/lib/libcamel-provider-1.2.so.10
#4 0x00002b58003aabe8 in emf_inlinepgp_encrypted (emf=0xa28860,
    stream=0xe52010, ipart=0xe63a00, info=<value optimized out>)
    at em-format.c:1606
#5 0x00002b58003aa8a2 in em_format_part_as (emf=0xa28860, stream=0xe52010,
    part=0xe63a00, mime_type=0xe695b0 "application/x-inlinepgp-encrypted")
    at em-format.c:587
#6 0x00002b58003aa982 in em_format_part (emf=0xa28860, stream=0xe52010,
    part=0xe63a00) at em-format.c:614
#7 0x00002b58003a8577 in efh_text_plain (efh=0xa28860, stream=0xe52010,
    part=0xe55d58, info=<value optimized out>) at em-format-html.c:777
#8 0x00002b58003aa8a2 in em_format_part_as (emf=0xa28860, stream=0xe52010,
    part=0xe55d58, mime_type=0x835790 "text/plain") at em-format.c:587
#9 0x00002b58003aa982 in em_format_part (emf=0xa28860, stream=0xe52010,
    part=0xe55d58) at em-format.c:614
#10 0x00002b58003a78c0 in efh_format_message (emf=0xa28860, stream=0xe52010,
    part=0xe55d58, info=<value optimized out>) at em-format-html.c:1855
#11 0x00002b58003a6830 in efh_format_do (mm=<value optimized out>)
    at em-format-html.c:1228
#12 0x00002b58003c59c1 in mail_msg_received (e=<value optimized out>,
    msg=<value optimized out>, data=<value optimized out>) at mail-mt.c:582
#13 0x00002b57f4a87316 in ?? () from /usr/lib/libedataserver-1.2.so.9
#14 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#15 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#16 0x0000000000000000 in ?? ()

Thread 13 (Thread 1115703616 (LWP 6569)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x7c34b0,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 10 (Thread 1149274432 (LWP 6568)):
#0 0x00002b57f53a58c6 in poll () from /lib/libc.so.6
#1 0x00002b57f2a236ae in g_main_context_iterate (context=0x8e63e0, block=1,
    dispatch=1, self=<value optimized out>) at gmain.c:2979
#2 0x00002b57f2a23b6a in IA__g_main_loop_run (loop=0x8c4b60) at gmain.c:2881
#3 0x00002b57f2c95523 in ?? () from /usr/lib/libnm_glib.so.0
#4 0x00002b57f2a3cb74 in g_thread_create_proxy (data=0x8b9590)
    at gthread.c:591
#5 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#6 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#7 0x0000000000000000 in ?? ()

Thread 8 (Thread 1107310912 (LWP 6563)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc60,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 4 (Thread 1098918208 (LWP 6562)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc60,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 3 (Thread 1090525504 (LWP 6561)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc60,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 2 (Thread 1082132800 (LWP 6560)):
#0 0x00002b57f563a796 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/libpthread.so.0
#1 0x00002b57f2a04935 in g_async_queue_pop_intern_unlocked (queue=0x6ecc60,
    try=<value optimized out>, end_time=<value optimized out>)
    at gasyncqueue.c:334
#2 0x00002b57f4a86dae in e_msgport_wait ()
   from /usr/lib/libedataserver-1.2.so.9
#3 0x00002b57f4a873c7 in ?? () from /usr/lib/libedataserver-1.2.so.9
#4 0x00002b57f56362a5 in start_thread () from /lib/libpthread.so.0
#5 0x00002b57f53ae61d in clone () from /lib/libc.so.6
#6 0x0000000000000000 in ?? ()

Thread 1 (Thread 47656898469536 (LWP 6555)):
#0 em_format_set_inline (emf=0x0, partid=0x0, state=1) at em-format.c:982
#1 0x00002b57f27ba7da in IA__g_closure_invoke (closure=0xfe1b20,
    return_value=0x0, n_param_values=1, param_values=0x7fffbcadc030,
    invocation_hint=0x7fffbcadbf00) at gclosure.c:490
#2 0x00002b57f27ca408 in signal_emit_unlocked_R (node=0x84a600, detail=0,
    instance=0xd8e8e0, emission_return=0x0, instance_and_params=0x7fffbcadc030)
    at gsignal.c:2440
#3 0x00002b57f27cb843 in IA__g_signal_emit_valist (instance=0xd8e8e0,
    signal_id=<value optimized out>, detail=0, var_args=0x7fffbcadc2b0)
    at gsignal.c:2199
#4 0x00002b57f27cba13 in IA__g_signal_emit (instance=0x0, signal_id=0,
    detail=1) at gsignal.c:2243
#5 0x00002b57f0fc1689 in gtk_real_button_released (button=0x0)
    at gtkbutton.c:1484
#6 0x00002b57f27ba7da in IA__g_closure_invoke (closure=0x6b2970,
    return_value=0x0, n_param_values=1, param_values=0x7fffbcadc620,
    invocation_hint=0x7fffbcadc4f0) at gclosure.c:490
#7 0x00002b57f27ca84d in signal_emit_unlocked_R (node=0x82c340, detail=0,
    instance=0xd8e8e0, emission_return=0x0, instance_and_params=0x7fffbcadc620)
    at gsignal.c:2370
#8 0x00002b57f27cb843 in IA__g_signal_emit_valist (instance=0xd8e8e0,
    signal_id=<value optimized out>, detail=0, var_args=0x7fffbcadc8a0)
    at gsignal.c:2199
#9 0x00002b57f27cba13 in IA__g_signal_emit (instance=0x0, signal_id=0,
    detail=1) at gsignal.c:2243
#10 0x00002b57f0fbff09 in gtk_button_button_release (widget=0x0, event=0x0)
    at gtkbutton.c:1377
#11 0x00002b57f107d68d in _gtk_marshal_BOOLEAN__BOXED (closure=0x712680,
    return_value=0x7fffbcadcb50, n_param_values=<value optimized out>,
    param_values=0x7fffbcadcc40, invocation_hint=<value optimized out>,
    marshal_data=0x2b57f0fbfef0) at gtkmarshalers.c:84
#12 0x00002b57f27ba7da in IA__g_closure_invoke (closure=0x712680,
    return_value=0x7fffbcadcb50, n_param_values=2,
    param_values=0x7fffbcadcc40, invocation_hint=0x7fffbcadcb10)
    at gclosure.c:490
#13 0x00002b57f27caa18 in signal_emit_unlocked_R (node=0x7126f0, detail=0,
    instance=0xd8e8e0, emission_return=0x7fffbcadce60,
    instance_and_params=0x7fffbcadcc40) at gsignal.c:2478
#14 0x00002b57f27cb617 in IA__g_signal_emit_valist (instance=0xd8e8e0,
    signal_id=<value optimized out>, detail=0, var_args=0x7fffbcadcec0)
    at gsignal.c:2209
#15 0x00002b57f27cba13 in IA__g_signal_emit (instance=0x0, signal_id=0,
    detail=1) at gsignal.c:2243
#16 0x00002b57f117b13e in gtk_widget_event_internal (widget=0xd8e8e0,
    event=0xfcc410) at gtkwidget.c:3915
#17 0x00002b57f1076c7d in IA__gtk_propagate_event (widget=0xd8e8e0,
    event=0xfcc410) at gtkmain.c:2364
#18 0x00002b57f1077c91 in IA__gtk_main_do_event (event=0xfcc410)
    at gtkmain.c:1598
#19 0x00002b57f185f45c in gdk_event_dispatch (source=<value optimized out>,
    callback=<value optimized out>, user_data=<value optimized out>)
    at gdkevents-x11.c:2318
#20 0x00002b57f2a20a14 in IA__g_main_context_dispatch (context=0x664860)
    at gmain.c:2045
#21 0x00002b57f2a2385d in g_main_context_iterate (context=0x664860, block=1,
    dispatch=1, self=<value optimized out>) at gmain.c:2677
#22 0x00002b57f2a23b6a in IA__g_main_loop_run (loop=0x692ac0) at gmain.c:2881
#23 0x00002b57f04253c6 in bonobo_main () at bonobo-main.c:311
#24 0x0000000000418142 in main (argc=1, argv=0x7fffbcadd418) at main.c:611

Furthermore, while preparing this report (the bug is reproducible every time),
I have seen it crash on `part_id' being NULL, so this look like a race condition to me.

Revision history for this message
Philip Belemezov (phible) wrote :
Revision history for this message
Philip Belemezov (phible) wrote :
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the bug report. This particular bug has already been reported, but feel free to report any other bugs you find.

Changed in evolution:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
status: Unconfirmed → Rejected
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.