Closed
Bug 1052327
Opened 10 years ago
Closed 10 years ago
crash [@ PL_strnchr | nsParseMailMessageState::ParseHeaders() ]
Categories
(MailNews Core :: Backend, defect)
MailNews Core
Backend
Tracking
(thunderbird32 fixed, thunderbird33 fixed, thunderbird34 fixed, thunderbird_esr3132+ fixed)
RESOLVED
FIXED
Thunderbird 34.0
People
(Reporter: hiro, Assigned: hiro)
References
Details
(Keywords: crash, topcrash-thunderbird)
Crash Data
Attachments
(1 file)
|
984 bytes,
patch
|
Irving
:
review+
standard8
:
approval-comm-aurora+
standard8
:
approval-comm-beta+
standard8
:
approval-comm-esr31+
|
Details | Diff | Splinter Review |
|
Assignee | |
Comment 1•10 years ago
|
||
'buf_length' is the length of original 'buf' but the pointer of 'buf' is incremented. So PL_strnchr causes buffer overrun.
Assignee: nobody → hiikezoe
Attachment #8471458 -
Flags: review?(standard8)
|
|
Assignee | |
Comment 2•10 years ago
|
||
Note that unit test for this crash can not be provided because it is highly related jemalloced memories.
|
||
Comment 3•10 years ago
|
||
#9 crash for Thunderbird 31, so topcrash
in bp-bb51026f-61bf-47cf-87cc-475972140726 I also see a rare nsParseMailMessageState::ParseHeaders() which is in a different location
neil@2014 1038 if (!header && m_customDBHeaders.Length())
Keywords: crash,
topcrash-thunderbird
See Also: → 517456
|
||
Updated•10 years ago
|
tracking-thunderbird_esr31:
--- → 32+
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch
Irving, can you take a quick look at this one?
Attachment #8471458 -
Flags: review?(standard8) → review?(irving)
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch
Review of attachment 8471458 [details] [diff] [review]:
-----------------------------------------------------------------
Nice fix, thanks.
Attachment #8471458 -
Flags: review?(irving) → review+
|
|
||
Updated•10 years ago
|
Crash Signature: [@ PL_strnchr | nsParseMailMessageState::ParseHeaders() ]
|
|
||
Comment 6•10 years ago
|
||
I took the liberty of landing this as its needed for the next 31 point release:
https://hg.mozilla.org/comm-central/rev/b8cf976ad548
Target Milestone: --- → Thunderbird 34.0
|
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8471458 [details] [diff] [review]
fix_crash_in_ParseHeaders.patch
[Triage Comment]
Will take onto aurora straight away due to current trunk issues, will do beta/esr in a day or so.
Attachment #8471458 -
Flags: approval-comm-esr31?
Attachment #8471458 -
Flags: approval-comm-beta?
Attachment #8471458 -
Flags: approval-comm-aurora+
|
|
||
Comment 8•10 years ago
|
||
|
|
||
Updated•10 years ago
|
Attachment #8471458 -
Flags: approval-comm-esr31?
Attachment #8471458 -
Flags: approval-comm-esr31+
Attachment #8471458 -
Flags: approval-comm-beta?
Attachment #8471458 -
Flags: approval-comm-beta+
|
|
||
Comment 9•10 years ago
|
||
status-thunderbird32:
--- → fixed
|
|
||
Comment 10•10 years ago
|
||
status-thunderbird_esr31:
--- → fixed
|
|
||
Updated•10 years ago
|
status-thunderbird34:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•