Fix segfault when deleting and reusing attachment slots. (closes #3800)

When attachments are deleted, delete_attachment() slides the entries
down in the idx array, but forgets to NULL out the last vacated slot.

If more attachments are added later on via OP_COMPOSE_EDIT_HEADERS and
the Attach: pseudo-header, mutt_gen_attach_list() will attempt to
re-use the ATTACHPTR in that last slot because it wasn't set to NULL.
This will be pointing to freed memory and likely segfault (at best).

diff --git a/compose.c b/compose.c
index 9d870608fb2e816c979fc25dd7db2a2343b3f549..583539aebf0dec505eb423d613f484fb973a36f5 100644 (file)
--- a/compose.c
+++ b/compose.c
@@ -338,6 +338,7 @@ static int delete_attachment (MUTTMENU *menu, short *idxlen, int x)
   FREE (&idx[x]);
   for (; x < *idxlen - 1; x++)
     idx[x] = idx[x+1];
+  idx[*idxlen - 1] = NULL;
   menu->max = --(*idxlen);
   
   return (0);