dovecot - Apr 2013 - imap crash during URLFETCH

Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL with
an invalid access specifier.  A backtrace and some debug output follows.  The
crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without having
set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an
uninitialized pointer.

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000001059
0   libdovecot-storage.0.dylib          0x000000010b06a383 imap_msgpart_url_free
+ 17
1   imap                                0x000000010afc71cc
imap_urlauth_fetch_local + 770
2   imap                                0x000000010afc6dcf
imap_urlauth_fetch_url + 439
3   imap                                0x000000010afbb489 cmd_urlfetch + 580
4   imap                                0x000000010afbdf4d command_exec + 55
5   imap                                0x000000010afbdabb client_command_input
+ 34
6   imap                                0x000000010afbdc7c client_command_input
+ 483
7   imap                                0x000000010afbd351 client_handle_input +
239
8   imap                                0x000000010afbc613 client_input + 119
9   libdovecot.0.dylib                  0x000000010b111c74 io_loop_call_io + 46
10  libdovecot.0.dylib                  0x000000010b112c85 io_loop_handler_run +
214
11  libdovecot.0.dylib                  0x000000010b111e1f io_loop_run + 77
12  libdovecot.0.dylib                  0x000000010b0d10c6 master_service_run +
24
13  imap                                0x000000010afc5aba main + 1010
14  libdyld.dylib                       0x00007fff89e5f7bd start + 1

Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Fetching local URLAUTH
imap://mja at
duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8
Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Failed to fetch URLAUTH
"imap://mja at
duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8":
No 'submit+mja' access allowed for user mja
Apr 29 20:00:31 imap(pid 82429 user mja): Fatal: master: service(imap): child
82429 killed with signal 11 (core dumps disabled)

On 30.4.2013, at 4.07, Mike Abbott <michael.abbott at apple.com> wrote:
> Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL
with an invalid access specifier.  A backtrace and some debug output follows. 
The crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without
having set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an
uninitialized pointer.
Right, fixed: http://hg.dovecot.org/dovecot-2.2/rev/24aa10efe132

I also noticed another crash: http://hg.dovecot.org/dovecot-2.2/rev/2a3134b0c25d