Closed Bug 243854 Opened 21 years ago Closed 21 years ago

MIME hang while sanitizing a message

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emaijala+moz, Assigned: emaijala+moz)

Details

(Keywords: fixed1.7, hang, Whiteboard: fixed-aviary1.0)

Attachments

(3 files, 1 obsolete file)

mailbox file of the offending message
4.60 KB, text/plain
Details
Patch v2 (without whitespace changes)
1.40 KB, patch
Bienvenu
: review+
Bienvenu
: superreview+
asa
: approval1.7+
Details | Diff | Splinter Review
Patch v2
4.20 KB, patch
Details | Diff | Splinter Review
I received a message that caused Mozilla to hang completely. Test mbox and patch coming up.
Assignee: sspitzer → ere
This is a mailbox file containing the offending message. Hangs at least if viewed in Simple HTML.
Attached patch Patch v1 (obsolete) — Splinter Review
This patch makes sure the string given to MimeInlineTextPlainFlowed_parse_line is null-terminated. It also prevents an assertion when ScanTXT was called with an empty line.
Attachment #148691 - Flags: superreview?(bienvenu)
Attachment #148691 - Flags: review?(bienvenu)
This should be fixed in the 1.7 branch too.
Flags: blocking1.7?
thx for looking at this? are you sure this won't write past the end of our memory block? + (*bufferP)[*buffer_fpP] = '\0'; re the second part, I think it would be better to wrap the whole if (length - (linep - line)) check were moved up to surround that whole block of code, like this: if (length - (linep - line) > 0) { nsDependentCString inputStr(linep, length - (linep - line)); // For 'SaveAs', |line| is in |mailCharset|. // convert |line| to UTF-16 before 'html'izing (calling ScanTXT()) .... rv = conv->ScanTXT(lineSource.get(), whattodo, getter_Copies(lineResult)); NS_ENSURE_SUCCESS(rv, -1); } Does that work?
it looks like we've allocated an extra byte, so the null assignment shouldn't crunch anything...
Yes, it should be safe to write the null there. The length check could be moved even higher, to the beginning of that block.
Attachment #148691 - Attachment is obsolete: true
Attached patch Patch v2Splinter Review
Attachment #148691 - Flags: superreview?(bienvenu)
Attachment #148691 - Flags: review?(bienvenu)
Attachment #148696 - Flags: superreview?(bienvenu)
Attachment #148696 - Flags: superreview?(bienvenu) → superreview+
Comment on attachment 148696 [details] [diff] [review] Patch v2 (without whitespace changes) Sorry, can I get an r= too, please? Requesting also approval for this small but significant fix.
Attachment #148696 - Flags: review?(bienvenu)
Attachment #148696 - Flags: approval1.7?
Comment on attachment 148696 [details] [diff] [review] Patch v2 (without whitespace changes) r=bienvenu - I've cc'd ducarroz, in case he has some thoughts on this.
Attachment #148696 - Flags: review?(bienvenu) → review+
Thanks. For the record: the terminating null is needed because MimeInlineTextPlainFlowed_parse_line uses nsDependentCString. Otherwise length checks in two other places would have been enough.
Status: NEW → ASSIGNED
Trunk fixed.
Comment on attachment 148696 [details] [diff] [review] Patch v2 (without whitespace changes) a=asa (on behalf of drivers) for checkin to 1.7
Attachment #148696 - Flags: approval1.7? → approval1.7+
Fixed in branch too. Thanks to Neil for the checkin.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Flags: blocking1.7?
Resolution: --- → FIXED
Keywords: fixed1.7
Whiteboard: fixed-aviary1.0
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: