2015-02-10
Analysis based on mutt 1.5.23 plus these patches:
Fix endless IMAP credentials requests when imap_check_subscribed=yes
Fix buffer underread for empty header values
reports are at https://lekensteyn.nl/mutt-scan-build/


report-af1030.html
gnupgparse.c:347 parse_pub_line
memcpy to NULL
break main
p argc=0
p parse_pub_line("uid", &argc, NULL)
can be triggered if gpg outputs something unexpected (just "uid")

Possible issues:
report-8ab430.html
crypt-gpgme.c:3850 crypt_select_key
If keys == NULL, then i=0 and unusable=0 and qsort is called on a NULL ptr.

report-41bead.html
pgpkey.c:512 pgp_select_key
If keys == NULL, then i=0 and unusable=0 and qsort is called on a NULL ptr.

Needs further investigation:
report-94be61.html
enter.c:170 replace_part (via _mutt_enter_string)
memcpy from NULL + offset

report-8b459d.html
commands.c:957 mutt_edit_content_type
NULL deref when b->type == TYPEMESSAGE and b->subtype == NULL
#define is_multipart(b) \
    (
     (b)->type == TYPEMULTIPART ||
     (
      (b)->type == TYPEMESSAGE &&
      (
       !strcasecmp((b)->subtype, "rfc822") ||
       !strcasecmp((b)->subtype, "news")
      )
     )
    )
b->subtype is always NULL as it got freed, b->type==TYPEMESSAGE when
Content-Type: message/...
CHECKME

report-ba327b.html
imap/imap.c:979 imap_exec_msgset
memcpy from NULL

report-1e9001.html
parse.c:899 mutt_extract_message_id
Assigned value is garbage or undefined
need to check whether mutt_parse_rfc822_line can ever be called with a NULL "p"
argument. If not, this is a false positive.

report-6638c0.html
rfc2047.c:893 rfc2047_decode
Out-of-bound array access
CHECKME