Closed Bug 1052327 Opened 5 years ago Closed 5 years ago

crash [@ PL_strnchr | nsParseMailMessageState::ParseHeaders() ]

Categories

(MailNews Core :: Backend, defect, critical)

defect
Not set
critical

Tracking

(thunderbird32 fixed, thunderbird33 fixed, thunderbird34 fixed, thunderbird_esr3132+ fixed)

RESOLVED FIXED
Thunderbird 34.0
Tracking Status
thunderbird32 --- fixed
thunderbird33 --- fixed
thunderbird34 --- fixed
thunderbird_esr31 32+ fixed

People

(Reporter: hiro, Assigned: hiro)

References

Details

(Keywords: crash, topcrash-thunderbird)

Crash Data

Attachments

(1 file)

'buf_length' is the length of original 'buf' but the pointer of 'buf' is incremented. So PL_strnchr causes buffer overrun.
Assignee: nobody → hiikezoe
Attachment #8471458 - Flags: review?(standard8)
Note that unit test for this crash can not be provided because it is highly related jemalloced memories.
#9 crash for Thunderbird 31, so topcrash

in  bp-bb51026f-61bf-47cf-87cc-475972140726 I also see a rare  nsParseMailMessageState::ParseHeaders() which is in a different location 
neil@2014 1038    if (!header && m_customDBHeaders.Length())
See Also: → 517456
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch

Irving, can you take a quick look at this one?
Attachment #8471458 - Flags: review?(standard8) → review?(irving)
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch

Review of attachment 8471458 [details] [diff] [review]:
-----------------------------------------------------------------

Nice fix, thanks.
Attachment #8471458 - Flags: review?(irving) → review+
Crash Signature: [@ PL_strnchr | nsParseMailMessageState::ParseHeaders() ]
I took the liberty of landing this as its needed for the next 31 point release:

https://hg.mozilla.org/comm-central/rev/b8cf976ad548
Target Milestone: --- → Thunderbird 34.0
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch

[Triage Comment]
Will take onto aurora straight away due to current trunk issues, will do beta/esr in a day or so.
Attachment #8471458 - Flags: approval-comm-esr31?
Attachment #8471458 - Flags: approval-comm-beta?
Attachment #8471458 - Flags: approval-comm-aurora+
https://hg.mozilla.org/releases/comm-aurora/rev/bf8943048f4b
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Attachment #8471458 - Flags: approval-comm-esr31?
Attachment #8471458 - Flags: approval-comm-esr31+
Attachment #8471458 - Flags: approval-comm-beta?
Attachment #8471458 - Flags: approval-comm-beta+
You need to log in before you can comment on or make changes to this bug.