Closed Bug 163588 Opened 22 years ago Closed 22 years ago

buffer overflow in Chatzilla

Categories

(Other Applications :: ChatZilla, defect)

Product:
Other Applications
Component:
ChatZilla
Platform:
x86
FreeBSD
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 94448

People

(Reporter: trevor, Assigned: rginda)

References

(
URL
)

Details

On Bugtraq, Thor Larholm <Thor@jubii.dk> reported:

 The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
 A typical IRC URL could look like this:

 IRC://IRC.YOUR.TLD/#YOURCHANNEL

 The #YOURCHANNEL part is copied to a buffer that has a limit of 32K.
 If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
 error:

 The exception unknown software exception (0xc00000fd) occured in the
 application at location 0x60e42edf

At http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html he has provided a
Web page which demonstrates the bug.  It does not always work for me, but I
wrote a demonstration page according to his instructions which gives more
consistent results:  http://jpj.net/~trevor/chatzilla.html .

Not installing the Chatzilla component is an effective workaround, as is
removing the chatzilla.jar archive after installation.
This is not a buffer overrun, but a blown stack performing a regexp match
against a very large string.  Not exploitable.

There is a dupe of this out there, possible left open to remind me to not match
against large strings, or possibly marked INVALID, I forget.

*** This bug has been marked as a duplicate of 94448 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Product: Core → Other Applications
You need to log in before you can comment on or make changes to this bug.