[tin-bugs] tin 2.6.5 crashes when accessing article
Adam W.
tin at chmurka.net
Fri Apr 10 22:28:54 CEST 2026
Hi,
tin 2.6.5 crashes with "realloc(): invalid next size" when accessing
one specific article.
System is amd64 (x86_64), Debian 13.4, kernel 6.12.74+deb13+1-amd64.
Console charset is utf-8.
Message-ID is: <slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl>
Article is available for reading on my server: news.chmurka.net
It can be reproduced with:
tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl
Backtrace after rebuilding tin with -O0 -g:
#7 0x000055f3a33273ca in my_realloc1 (file=0x55f3a339a1c0 "./cook.c", line=203, p=0x55f3dad1d320, size=73) at ./memory.c:748
#8 0x000055f3a32f204a in expand_ctrl_chars (line=0x7ffda917b848, length=0x7ffda917b838, lcook_width=8) at ./cook.c:203
#9 0x000055f3a32f7422 in process_text_body_part (wrap_lines=1, in=0x55f3daa470f0, charset=0x55f3daa132c0 "iso-8859-2", part=0x55f3daa0b650, hide_inline_data=1) at ./cook.c:1871
#10 0x000055f3a32f8753 in cook_article (wrap_lines=1, artinfo=0x55f3a35c9ac0 <pgart>, hide_inline_data=1, show_all_headers=0) at ./cook.c:2334
#11 0x000055f3a3368ca4 in art_open (wrap_lines=1, art=0x7fd6d52c2c40, group=0x7fd6d5bff300, artinfo=0x55f3a35c9ac0 <pgart>, show_progress_meter=1, pmesg=0x55f3a33a7bf0 <txt_reading_article> "Reading ('q' to quit)...") at ./rfc2046.c:2078
#12 0x000055f3a334a8e2 in load_article (new_respnum=57638, group=0x7fd6d5bff300) at ./page.c:1860
#13 0x000055f3a3346d8d in show_page (group=0x7fd6d5bff300, start_respnum=57638, threadnum=0x0) at ./page.c:347
#14 0x000055f3a337917d in show_article_by_msgid (messageid=0x0) at ./select.c:2270
#15 0x000055f3a3374ad5 in selection_page (start_groupnum=0, num_cmd_line_groups=0) at ./select.c:398
#16 0x000055f3a3321a6c in main (argc=5, argv=0x7ffda917cc08) at ./main.c:556
But I doubt it will be useful, as the heap is most likely corrupted by
something that happened before.
I ran it with valgrind, but it doesn't crash then, it properly shows the
article. Here's the valgrind log -- might it be buffer_to_local() or
process_charsets()?
==15564== Memcheck, a memory error detector
==15564== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==15564== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info
==15564== Command: ./tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl
==15564== Parent PID: 15223
==15564==
==15564== Invalid write of size 1
==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564)
==15564== by 0x186000: buffer_to_local (misc.c:2772)
==15564== by 0x1861C9: process_charsets (misc.c:2871)
==15564== by 0x14BB86: process_text_body_part (cook.c:1307)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564== Invalid read of size 1
==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564== Invalid read of size 1
==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564== Invalid read of size 1
==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564==
==15564== Invalid read of size 1
==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564==
==15564==
==15564== HEAP SUMMARY:
==15564== in use at exit: 17,831 bytes in 25 blocks
==15564== total heap usage: 1,390,172 allocs, 1,390,147 frees, 769,855,444 bytes allocated
==15564==
==15564== 19 bytes in 1 blocks are definitely lost in loss record 5 of 25
==15564== at 0x4844818: malloc (vg_replace_malloc.c:446)
==15564== by 0x17FE4B: my_malloc1 (memory.c:688)
==15564== by 0x1D6061: my_strdup (string.c:149)
==15564== by 0x1D1DB9: save_restore_curr_group (select.c:1144)
==15564== by 0x1D407F: show_article_by_msgid (select.c:2161)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564== LEAK SUMMARY:
==15564== definitely lost: 19 bytes in 1 blocks
==15564== indirectly lost: 0 bytes in 0 blocks
==15564== possibly lost: 0 bytes in 0 blocks
==15564== still reachable: 17,812 bytes in 24 blocks
==15564== suppressed: 0 bytes in 0 blocks
==15564== Reachable blocks (those to which a pointer was found) are not shown.
==15564== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==15564==
==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0)
==15564==
==15564== 4 errors in context 1 of 6:
==15564== Invalid read of size 1
==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564==
==15564==
==15564== 4 errors in context 2 of 6:
==15564== Invalid read of size 1
==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1A5422: resize_article (page.c:2178)
==15564== by 0x1D57F5: handle_resize (signal.c:310)
==15564== by 0x1502F9: ReadCh (curses.c:1144)
==15564== by 0x15EE7A: handle_keypad (global.c:364)
==15564== by 0x1A0F29: show_page (page.c:354)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564==
==15564==
==15564== 4 errors in context 3 of 6:
==15564== Invalid read of size 1
==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564==
==15564== 4 errors in context 4 of 6:
==15564== Invalid read of size 1
==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564==
==15564== 8 errors in context 5 of 6:
==15564== Invalid write of size 1
==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564)
==15564== by 0x186000: buffer_to_local (misc.c:2772)
==15564== by 0x1861C9: process_charsets (misc.c:2871)
==15564== by 0x14BB86: process_text_body_part (cook.c:1307)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
==15564== by 0x14EC09: cook_article (cook.c:2334)
==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
==15564== by 0x1A4AAB: load_article (page.c:1860)
==15564== by 0x1A0E94: show_page (page.c:347)
==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
==15564== by 0x1CF38D: selection_page (select.c:132)
==15564== by 0x17A103: main (main.c:556)
==15564==
==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0)
Adam
More information about the tin-bugs
mailing list