Closed
Bug 362735
Opened 18 years ago
Closed 17 years ago
2 problems in MimeRichtextConvert
Categories
(MailNews Core :: MIME, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: Bienvenu)
Details
(Keywords: fixed1.8.0.10, fixed1.8.1.1, Whiteboard: [sg:critical])
Attachments
(3 files, 1 obsolete file)
434 bytes,
text/plain
|
Details | |
453 bytes,
text/plain
|
Details | |
1.25 KB,
patch
|
jay
:
approval1.8.0.10+
|
Details | Diff | Splinter Review |
2 problems in MimeRichtextConvert http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/mime/src/mimetric.cpp&rev=1.16 106 seawood 1.13 // The code below must never expand the input by more than 5x; 107 mstoltz 1.12 // if it does, the desired_size multiplier (5) below must be changed too 108 [1] desired_size = (length * 5) + 1; 109 rhp 1.1 [2] if (desired_size >= *obuffer_sizeP) 110 status = mime_GrowBuffer (desired_size, sizeof(char), 1024, 111 obufferP, obuffer_sizeP); so 2 problems: A) |desired_size| may be negative even on 32 bit systems at the cost of 1.8G VM (~ 425M length). the check at [2] is useless in this case. B) on 64 bit systems [1] may overflow at the cost of about 3.6G VM (~ 850M length). this may work in theory on 32 bit systems, but could reproduce it only on a 64 bit system. stack from the negative case: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1223984304 (LWP 4848)] 0xb739ec33 in strcpy () from /lib/i686/libc.so.6 (gdb) bt #0 0xb739ec33 in strcpy () from /lib/i686/libc.so.6 #1 0xb7cc8311 in PL_strcpy ( dest=0x8bd7ffd "&am" <Address 0x8bd8000 out of bounds>, src=0xb4c0faa8 "&") at /opt/joro/thunderbird20/mozilla/nsprpub/lib/libc/src/strcpy.c:46 #2 0xb4b885c8 in MimeRichtextConvert ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1) at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167 #3 0xb4b89036 in MimeInlineTextRichtext_parse_line ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, (gdb) frame 2 #2 0xb4b885c8 in MimeRichtextConvert ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1) at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167 167 PL_strcpy (out, "&"); out += strlen (out); (gdb) x/4c out 0x8bd7ffd: 38 '&' 97 'a' 109 'm' Cannot access memory at address 0x8bd8000 (gdb) x/4c out-20 0x8bd7fe9: 38 '&' 97 'a' 109 'm' 112 '
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical]
Reporter | ||
Comment 3•18 years ago
|
||
proposed patch. |new| still throws, but this is another bug.
Assignee | ||
Comment 4•18 years ago
|
||
Comment on attachment 247683 [details] [diff] [review] proposed patch seems like it might be clearer to write something like: 0xfffffffe / BGROWTH and it looks like there's a tab before the return -1. r=bienvenu, with those nits. thx for the patch!
Attachment #247683 -
Flags: superreview?(mscott)
Attachment #247683 -
Flags: review+
Comment 5•18 years ago
|
||
Comment on attachment 247683 [details] [diff] [review] proposed patch including David's suggestions...
Attachment #247683 -
Flags: superreview?(mscott) → superreview+
Reporter | ||
Comment 6•18 years ago
|
||
proposed patch, addresses comments
Attachment #247683 -
Attachment is obsolete: true
Reporter | ||
Comment 7•18 years ago
|
||
imho this blocks both branches and with favorable heap layout is exploitable on 32 bit os - classic under allocation without exhausting the process memory space. don't have cvs access so can't check in this.
Reporter | ||
Comment 8•18 years ago
|
||
bz, this seems to be blocking both branches.
Comment 9•18 years ago
|
||
So request blocking. ;) ccing me on mailnews innards bugs is not really useful, though -- I rarely plan to do anything about them.
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Assignee | ||
Comment 10•18 years ago
|
||
fixed on trunk and 1.8.1 branch - thx, G30rgi
Reporter | ||
Comment 11•18 years ago
|
||
(In reply to comment #9) > So request blocking. ;) ccing me on mailnews innards bugs is not really > useful, though -- I rarely plan to do anything about them. > ok, you are not gonna be spammed about mailnews anymore :) i meant someone empowered to request blocking.
Comment 12•18 years ago
|
||
FIXED on trunk, blocking flags track the branch
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.0.10? → blocking1.8.0.10+
Resolution: --- → FIXED
Component: Security → MailNews: MIME
Flags: review+
Product: Thunderbird → Core
Version: 2.0 → Trunk
Comment 13•17 years ago
|
||
Comment on attachment 247793 [details] [diff] [review] proposed patch, addresses comments requesting approval for 1.8.0.10 since this is listed as a blocker. It's on the trunk and the 1.8.1 branch baking for a while.
Attachment #247793 -
Flags: approval1.8.0.10?
Comment 14•17 years ago
|
||
Comment on attachment 247793 [details] [diff] [review] proposed patch, addresses comments Approved for 1.8.0 branch, a=jay for drivers.
Attachment #247793 -
Flags: approval1.8.0.10? → approval1.8.0.10+
Updated•17 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•17 years ago
|
Assignee: guninski → bienvenu
Status: REOPENED → NEW
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago → 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Group: security
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•