Closed
Bug 1411734
Opened 7 years ago
Closed 7 years ago
TBE-01-010: Crash via invalid X-Mozilla-Draft-Info header (DOS)
Categories
(MailNews Core :: Composition, defect)
Tracking
(thunderbird_esr5257+ fixed, thunderbird57 fixed, thunderbird58 fixed)
RESOLVED
FIXED
Thunderbird 58.0
People
(Reporter: BenB, Assigned: jorgk-bmo)
Details
(Keywords: crash, Whiteboard: TB 57 beta => TB 52.5 ESR)
Attachments
(1 file)
1.10 KB,
patch
|
aceman
:
review+
jorgk-bmo
:
approval-comm-beta+
jorgk-bmo
:
approval-comm-esr52+
|
Details | Diff | Splinter Review |
Thunderbird cannot handle an invalid X-Mozilla-Draft-Info header. Due to a null pointer dereference, Thunderbird exits with a segmentation fault and must be restarted. The crash happens when the following PoC.eml file is opened in Thunderbird, specifically when the “Edit As New Message” menu option is selected. PoC.eml: X-Mozilla-Draft-Info: 1 Content-Type: text/html; charset=utf-8 Please right-click this e-mail and click "Edit As New Message". The root cause of this issue was found in the following source code. Affected File: /mailnews/mime/src/mimedrft.cpp Affected Code: draftInfo = MimeHeaders_get(mdd->headers, HEADER_X_MOZILLA_DRAFT_INFO, false, false); // Keep the same message id when editing a draft unless we're // editing a message "as new message" (template) or forwarding inline. if (mdd->format_out != nsMimeOutput::nsMimeMessageEditorTemplate && fields && !forward_inline) { fields->SetMessageId(id); } if (draftInfo && fields && !forward_inline) { [...] parm = MimeHeaders_get_parameter(draftInfo, "receipt", NULL, NULL); if (parm && !strcmp(parm, "0")) fields->SetReturnReceipt(false); else { int receiptType = 0; fields->SetReturnReceipt(true); sscanf(parm, "%d", &receiptType); One can see here that the parm variable is set to the arguments of the draftInfo. Since it requires an argument like “receipt”, it is checked whether that item actually exists. However, if parm is not set (e.g. it is equal to NULL), it is still being used as a source pointer in a sscanf call, thus causing an invalid access to memory at NULL. It is recommended to make sure that the sscanf code path is not reachable unless parm is set correctly.
Reporter | ||
Comment 1•7 years ago
|
||
For the original report as PDF; see bug 1411701. Not a security bug.
Severity: normal → critical
Assignee | ||
Comment 2•7 years ago
|
||
Comment on attachment 8922686 [details] [diff] [review] 1411734-draft-info-receipt.patch (v1) Review of attachment 8922686 [details] [diff] [review]: ----------------------------------------------------------------- It could be cleaner if MimeHeaders_get_parameter returned nsCstring (it even uses it inernally). But that seems not to be the trend in the mime files, where everything is plain pointers. Also it would take to change a lot of callers. Thanks for fixing this.
Attachment #8922686 -
Flags: review?(acelists) → review+
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/f24014af19e1 don't access receipt field from draft info if it's not there. r=aceman
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•7 years ago
|
Target Milestone: --- → Thunderbird 58.0
Assignee | ||
Updated•7 years ago
|
Attachment #8922686 -
Flags: approval-comm-esr52+
Attachment #8922686 -
Flags: approval-comm-beta+
Comment 5•7 years ago
|
||
tested edit in local drafts bp-15c0e909-762e-4e07-8955-f32910171029 0 ucrtbase.dll _invalid_parameter 1 ucrtbase.dll _invalid_parameter_noinfo 2 ucrtbase.dll _XMMI_FP_Emulation 3 ucrtbase.dll __stdio_common_vsscanf 4 xul.dll _vsscanf_l C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/vs2015u3/SDK/Include/10.0.14393.0/ucrt/stdio.h:2167 5 xul.dll sscanf C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/vs2015u3/SDK/Include/10.0.14393.0/ucrt/stdio.h:2265 6 xul.dll mime_parse_stream_complete C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/mailnews/mime/src/mimedrft.cpp:1272 7 xul.dll nsStreamConverter::OnStopRequest(nsIRequest*, nsISupports*, nsresult) C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/mailnews/mime/src/nsStreamConverter.cpp:1055 8 xul.dll nsMsgProtocol::OnStopRequest(nsIRequest*, nsISupports*, nsresult) C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/mailnews/base/util/nsMsgProtocol.cpp:339 9 xul.dll nsMailboxProtocol::OnStopRequest(nsIRequest*, nsISupports*, nsresult) C:/builds/moz2_slave/tb-rel-c-esr52-w32_bld-0000000/build/mailnews/local/src/nsMailboxProtocol.cpp:382 spot checking some crash reports of the last 6 months, I find no evidence of this in the wild. not surprising
Summary: Crash via invalid X-Mozilla-Draft-Info header → TBE-01-010: Crash via invalid X-Mozilla-Draft-Info header (DOS)
Assignee | ||
Comment 6•7 years ago
|
||
Beta (TB 57): https://hg.mozilla.org/releases/comm-beta/rev/57610e579accf11ebc24f0e2121f4d23e1d3039a
status-thunderbird52:
--- → affected
status-thunderbird57:
--- → fixed
status-thunderbird58:
--- → fixed
Assignee | ||
Updated•7 years ago
|
Whiteboard: TB 57 beta => TB 52.5 ESR
Assignee | ||
Comment 7•7 years ago
|
||
TB 52.5 ESR (should be tracking 57+): https://hg.mozilla.org/releases/comm-esr52/rev/d194d0a89581
Assignee | ||
Updated•7 years ago
|
status-thunderbird52:
fixed → ---
status-thunderbird_esr52:
--- → fixed
Assignee | ||
Updated•7 years ago
|
tracking-thunderbird_esr52:
--- → 57+
You need to log in
before you can comment on or make changes to this bug.
Description
•