[tin-bugs] tin 2.6.5 crashes when accessing article
Urs Janßen
urs at akk.org
Sat Apr 11 03:20:41 CEST 2026
fullquote as I put Dennis in Bcc
On Fri, Apr 10, 2026 at 10:28:54PM +0200, Adam W. wrote:
> Hi,
>
> tin 2.6.5 crashes with "realloc(): invalid next size" when accessing
> one specific article.
>
> System is amd64 (x86_64), Debian 13.4, kernel 6.12.74+deb13+1-amd64.
> Console charset is utf-8.
>
> Message-ID is: <slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl>
>
> Article is available for reading on my server: news.chmurka.net
>
> It can be reproduced with:
>
> tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl
I can't reproduce that (tried with gcc -fsanitize=address,undefined,leak
and with running from valgrind: both without any issues) with
the current code base (see below)
x86_64-pc-linux-gnu, debian linux 6.18.15+deb14-amd64, LC_CTYPE=en_US.UTF-8
could you try <http://www.tin.org/d/tin-2.6.6.tar.gz> which is my
current code base? I doubt it will give a diffrent result, but just
to be sure ...).
> Backtrace after rebuilding tin with -O0 -g:
>
> #7 0x000055f3a33273ca in my_realloc1 (file=0x55f3a339a1c0 "./cook.c", line=203, p=0x55f3dad1d320, size=73) at ./memory.c:748
> #8 0x000055f3a32f204a in expand_ctrl_chars (line=0x7ffda917b848, length=0x7ffda917b838, lcook_width=8) at ./cook.c:203
> #9 0x000055f3a32f7422 in process_text_body_part (wrap_lines=1, in=0x55f3daa470f0, charset=0x55f3daa132c0 "iso-8859-2", part=0x55f3daa0b650, hide_inline_data=1) at ./cook.c:1871
> #10 0x000055f3a32f8753 in cook_article (wrap_lines=1, artinfo=0x55f3a35c9ac0 <pgart>, hide_inline_data=1, show_all_headers=0) at ./cook.c:2334
> #11 0x000055f3a3368ca4 in art_open (wrap_lines=1, art=0x7fd6d52c2c40, group=0x7fd6d5bff300, artinfo=0x55f3a35c9ac0 <pgart>, show_progress_meter=1, pmesg=0x55f3a33a7bf0 <txt_reading_article> "Reading ('q' to quit)...") at ./rfc2046.c:2078
> #12 0x000055f3a334a8e2 in load_article (new_respnum=57638, group=0x7fd6d5bff300) at ./page.c:1860
> #13 0x000055f3a3346d8d in show_page (group=0x7fd6d5bff300, start_respnum=57638, threadnum=0x0) at ./page.c:347
> #14 0x000055f3a337917d in show_article_by_msgid (messageid=0x0) at ./select.c:2270
> #15 0x000055f3a3374ad5 in selection_page (start_groupnum=0, num_cmd_line_groups=0) at ./select.c:398
> #16 0x000055f3a3321a6c in main (argc=5, argv=0x7ffda917cc08) at ./main.c:556
>
> But I doubt it will be useful, as the heap is most likely corrupted by
> something that happened before.
>
> I ran it with valgrind, but it doesn't crash then, it properly shows the
> article. Here's the valgrind log -- might it be buffer_to_local() or
> process_charsets()?
>
> ==15564== Memcheck, a memory error detector
> ==15564== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
> ==15564== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info
> ==15564== Command: ./tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl
> ==15564== Parent PID: 15223
> ==15564==
> ==15564== Invalid write of size 1
> ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564)
> ==15564== by 0x186000: buffer_to_local (misc.c:2772)
> ==15564== by 0x1861C9: process_charsets (misc.c:2871)
> ==15564== by 0x14BB86: process_text_body_part (cook.c:1307)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564== Invalid read of size 1
> ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
> ==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564== Invalid read of size 1
> ==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564== Invalid read of size 1
> ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
> ==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564==
> ==15564== Invalid read of size 1
> ==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564==
> ==15564==
> ==15564== HEAP SUMMARY:
> ==15564== in use at exit: 17,831 bytes in 25 blocks
> ==15564== total heap usage: 1,390,172 allocs, 1,390,147 frees, 769,855,444 bytes allocated
> ==15564==
> ==15564== 19 bytes in 1 blocks are definitely lost in loss record 5 of 25
> ==15564== at 0x4844818: malloc (vg_replace_malloc.c:446)
> ==15564== by 0x17FE4B: my_malloc1 (memory.c:688)
> ==15564== by 0x1D6061: my_strdup (string.c:149)
> ==15564== by 0x1D1DB9: save_restore_curr_group (select.c:1144)
> ==15564== by 0x1D407F: show_article_by_msgid (select.c:2161)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
I vaguly remeber that there was an issue with 'L' in 2.6.5 which
is fixed in the current code:
BUG. old artnum in thread was lost after 'L' from thread-level
but the above looks somewhat different.
I'll give 2.6.5 a try tomorrow.
> ==15564== LEAK SUMMARY:
> ==15564== definitely lost: 19 bytes in 1 blocks
> ==15564== indirectly lost: 0 bytes in 0 blocks
> ==15564== possibly lost: 0 bytes in 0 blocks
> ==15564== still reachable: 17,812 bytes in 24 blocks
> ==15564== suppressed: 0 bytes in 0 blocks
> ==15564== Reachable blocks (those to which a pointer was found) are not shown.
> ==15564== To see them, rerun with: --leak-check=full --show-leak-kinds=all
> ==15564==
> ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0)
> ==15564==
> ==15564== 4 errors in context 1 of 6:
> ==15564== Invalid read of size 1
> ==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564==
> ==15564==
> ==15564== 4 errors in context 2 of 6:
> ==15564== Invalid read of size 1
> ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
> ==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1A5422: resize_article (page.c:2178)
> ==15564== by 0x1D57F5: handle_resize (signal.c:310)
> ==15564== by 0x1502F9: ReadCh (curses.c:1144)
> ==15564== by 0x15EE7A: handle_keypad (global.c:364)
> ==15564== by 0x1A0F29: show_page (page.c:354)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564==
> ==15564==
> ==15564== 4 errors in context 3 of 6:
> ==15564== Invalid read of size 1
> ==15564== at 0x148491: expand_ctrl_chars (cook.c:177)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564==
> ==15564== 4 errors in context 4 of 6:
> ==15564== Invalid read of size 1
> ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507)
> ==15564== by 0x14BB95: process_text_body_part (cook.c:1308)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564==
> ==15564== 8 errors in context 5 of 6:
> ==15564== Invalid write of size 1
> ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564)
> ==15564== by 0x186000: buffer_to_local (misc.c:2772)
> ==15564== by 0x1861C9: process_charsets (misc.c:2871)
> ==15564== by 0x14BB86: process_text_body_part (cook.c:1307)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd
> ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801)
> ==15564== by 0x17FFBE: my_realloc1 (memory.c:748)
> ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203)
> ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871)
> ==15564== by 0x14EC09: cook_article (cook.c:2334)
> ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078)
> ==15564== by 0x1A4AAB: load_article (page.c:1860)
> ==15564== by 0x1A0E94: show_page (page.c:347)
> ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270)
> ==15564== by 0x1CF38D: selection_page (select.c:132)
> ==15564== by 0x17A103: main (main.c:556)
> ==15564==
> ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0)
>
> Adam
More information about the tin-bugs
mailing list