Closed Bug 243854 Opened 20 years ago Closed 20 years ago

MIME hang while sanitizing a message

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emaijala+moz, Assigned: emaijala+moz)

Details

(Keywords: fixed1.7, hang, Whiteboard: fixed-aviary1.0)

Attachments

(3 files, 1 obsolete file)

mailbox file of the offending message
4.60 KB, text/plain
Details
Patch v2 (without whitespace changes)
1.40 KB, patch
Bienvenu
: review+
Bienvenu
: superreview+
asa
: approval1.7+
Details | Diff | Splinter Review
Patch v2
4.20 KB, patch
Details | Diff | Splinter Review 
I received a message that caused Mozilla to hang completely. Test mbox and patch
coming up.
Assignee: sspitzer → ere
This is a mailbox file containing the offending message. Hangs at least if
viewed in Simple HTML.
Attached patch Patch v1 (obsolete) — Splinter Review 
This patch makes sure the string given to MimeInlineTextPlainFlowed_parse_line
is null-terminated. It also prevents an assertion when ScanTXT was called with
an empty line.
Attachment #148691 - Flags: superreview?(bienvenu)
Attachment #148691 - Flags: review?(bienvenu)
This should be fixed in the 1.7 branch too.
Flags: blocking1.7?
thx for looking at this?

are you sure this won't write past the end of our memory block?

+        (*bufferP)[*buffer_fpP] = '\0';

re the second part, I think it would be better to wrap the whole

if (length - (linep - line)) check were moved up to surround that whole block of
code, like this:
  if (length - (linep - line) > 0)
  {
    nsDependentCString inputStr(linep, length - (linep - line));

    // For 'SaveAs', |line| is in |mailCharset|.
    // convert |line| to UTF-16 before 'html'izing (calling ScanTXT())

    ....
    rv = conv->ScanTXT(lineSource.get(), whattodo, getter_Copies(lineResult));
    NS_ENSURE_SUCCESS(rv, -1);
   }

Does that work?
it looks like we've allocated an extra byte, so the null assignment shouldn't
crunch anything...
Yes, it should be safe to write the null there. 

The length check could be moved even higher, to the beginning of that block.
Attachment #148691 - Attachment is obsolete: true
Attached patch Patch v2Splinter Review 

    
  

        Attachment #148691 -
        Flags: superreview?(bienvenu)

        Attachment #148691 -
        Flags: review?(bienvenu)

    
  

        Attachment #148696 -
        Flags: superreview?(bienvenu)

    
  

        Attachment #148696 -
        Flags: superreview?(bienvenu) → superreview+

    
    

    
  
Comment on attachment 148696 [details] [diff] [review]
Patch v2 (without whitespace changes)

Sorry, can I get an r= too, please? 

Requesting also approval for this small but significant fix.

        Attachment #148696 -
        Flags: review?(bienvenu)

        Attachment #148696 -
        Flags: approval1.7?

    
    

    
  
Comment on attachment 148696 [details] [diff] [review]
Patch v2 (without whitespace changes)

r=bienvenu - I've cc'd ducarroz, in case he has some thoughts on this.

        Attachment #148696 -
        Flags: review?(bienvenu) → review+

    
    

    
  
Thanks. For the record: the terminating null is needed because
MimeInlineTextPlainFlowed_parse_line uses nsDependentCString. Otherwise length
checks in two other places would have been enough.
Status: NEW → ASSIGNED

    
    

    
  
Trunk fixed.

    
    

    
  
Comment on attachment 148696 [details] [diff] [review]
Patch v2 (without whitespace changes)

a=asa (on behalf of drivers) for checkin to 1.7

        Attachment #148696 -
        Flags: approval1.7? → approval1.7+

    
    

    
  
Fixed in branch too. Thanks to Neil for the checkin.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Flags: blocking1.7?
Resolution: --- → FIXED

    
  
Keywords: fixed1.7

    
  
Whiteboard: fixed-aviary1.0
Product: MailNews → Core
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: