Closed
Bug 1293245
Opened 8 years ago
Closed 6 years ago
message with malformed email address makes Thunderbird hang 100% CPU load
Categories
(Thunderbird :: Message Reader UI, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 60.0
People
(Reporter: julian.robbins, Assigned: mkmelin)
References
()
Details
(Keywords: hang, perf, testcase)
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 Steps to reproduce: Just started Thunderbird as usual. Emails arrived as usual over weekend. then application immediately goes unresponsive, when it comes across the email which is saved in the attachments. Actual results: Thunderbird uses 100% of cpu, and continues like this until killed, or the problematic email is removed from mailbox. I do not know exactly what the issue is but the email attached is what caused the particular issue. This was seen on Thunderbird running on Linux Mint, Manjaro and Windows 7, so is unlikely to be platform related. Expected results: Email parsing should have not caused issue. Roundcube and Android phone apps do not choke on this particular email, but probably render quite differently.
|
Reporter | |
Updated•8 years ago
|
Severity: normal → major
|
||
Updated•8 years ago
|
|
|
||
Comment 1•8 years ago
|
||
It's haning on this
From: "Natalie Hamilton" <{admin@packages4u.co.uk|stocks@packages4u.co.uk|stockmarket@packages4u.co.uk|trades@packages4u.co.uk|money@packages4u.co.uk|broker@packages4u.co.uk|deals@packages4u.co.uk|offers@packages4u.co.uk|news@packages4u.co.uk|binary@packages4u.co.uk|forex@packages4u.co.uk|marketing@packages4u.co.uk|mail@packages4u.co.uk|inboxdeals@packages4u.co.uk|packages@packages4u.co.uk|admin@inboxdeals.co|stocks@inboxdeals.co|stockmarket@inboxdeals.co|trades@inboxdeals.co|money@inboxdeals.co|broker@inboxdeals.co|deals@inboxdeals.co|offers@inboxdeals.co|news@inboxdeals.co|binary@inboxdeals.co|forex@inboxdeals.co|marketing@inboxdeals.co|mail@inboxdeals.co|inboxdeals@inboxdeals.co|packages@inboxdeals.co|admin@inboxcoupons.co|stocks@inboxcoupons.co|stockmarket@inboxcoupons.co|trades@inboxcoupons.co|money@inboxcoupons.co|broker@inboxcoupons.co|deals@inboxcoupons.co|offers@inboxcoupons.co|news@inboxcoupons.co|binary@inboxcoupons.co|forex@inboxcoupons.co|marketing@inboxcoupons.co|mail@inboxcoupons.co|inboxdeals@inboxcoupons.co|packages@i>|
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Message Reader UI
Ever confirmed: true
|
|
||
Comment 2•8 years ago
|
||
Oh, and one of my testcases eventually crashed bp-6317da0a-0f63-4b99-be03-26b7a2160808 OOM | large | js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | js::TenuringTracer::moveToTenured tested with 51.0a1
|
|
||
Comment 3•8 years ago
|
||
perhaps a variation of bug 693295?
|
||
Updated•8 years ago
|
Attachment #8778873 -
Attachment mime type: application/x-extension-eml → text/plain
|
|
||
Updated•8 years ago
|
Attachment #8778983 -
Attachment mime type: message/rfc822 → text/plain
|
|
||
Comment 5•8 years ago
|
||
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #3) > perhaps a variation of bug 693295? I also think (a) "hang 100% CPU load" part is similar to bug 693295. (a-1) Tb perhaps interpreted the From: header as "collection of many correct mail addresses like abc@p.q.r". (a-2) Due to too many mail addresses, phenomenon of "hang 100% CPU load" happens. However, (c) "crash in comment #2" is different problem from bug 693295. For (a-1). "Corruption pattern by casual mail application programmer" is as follows. From: "Natalie Hamilton" <{ abc001@p-001.q.r | ... | abcNNN@p-NNN.q.r > What is proper interpretation of malformed or broken message header? How about ignoring such broken angle-mail-addreess pattern in header interpretation? I believe that "Showing the broken From: header as-is at Header Box of Message Pane only" is sufficient in such case.
Or like bug 619493.
|
|
||
Updated•8 years ago
|
I've encountered the same hang with a different, legitimate mail. Stripping down the mail in question shows that the problem is identical to this bug. The hang here is caused by a bug during escaping of special characters (in the parser?) that leads to exponential growth of the extracted header field. I've attached a shortened mail "loop-e6.eml" which demonstrates the parsing problem: > To: example0@example.com example1@example.com example2@example.com > example3@example.com example4@example.com example5@example.com is expanded to > "\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"example0@example.com example1\\\\\\\\\\\\\\\"@example.com example2\\\\\\\"@example.com example3\\\"@example.com example4\"@example.com example5"@example.com A similar pattern shows up for the from header when testing a cleaned up and shortened version of the test5.eml mail. Increasing the number of example mail addresses to 18 already causes a noticable delay when selecting that mail in Thunderbird. Using 36 addresses completely hangs Thunderbird making it unusable. Merely receiving such a broken message hangs Thunderbird as soon as the global search indexer processes the mail.
|
|
||
Updated•7 years ago
|
See Also: → CVE-2018-5161
|
|
||
Updated•7 years ago
|
Depends on: CVE-2018-5161
See Also: CVE-2018-5161 →
|
|
||
Comment 10•6 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #2) > Oh, and one of my testcases eventually crashed > bp-6317da0a-0f63-4b99-be03-26b7a2160808 OOM | large | > js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | > js::TenuringTracer::moveToTenured > > tested with 51.0a1 This is definitely a thing - OOM | large | js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | js::TenuringTracer::moveToTenured bp-e35267f2-ead9-436d-92f3-8b0690180129 "I tried to send a large amount of email addresses via Bcc, in one email and it the past I could do this. Not this time." https://crash-stats.mozilla.com/signature/?product=Thunderbird&_sort=-email&_sort=user_comments&_sort=-date&signature=OOM%20%7C%20large%20%7C%20js%3A%3AAutoEnterOOMUnsafeRegion%3A%3Acrash%20%7C%20js%3A%3AAutoEnterOOMUnsafeRegion%3A%3Acrash%20%7C%20js%3A%3ATenuringTracer%3A%3AmoveToTenured&date=%3E%3D2018-01-11T08%3A15%3A48.000Z&date=%3C2018-02-11T08%3A15%3A48.000Z#comments
See Also: → 313426
Summary: message with malformed email address makes Thunderbird hang 100% CPU load → message with malformed email address makes Thunderbird hang 100% CPU load
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → mkmelin+mozilla
|
||
Comment 11•6 years ago
|
||
Just for the record: Magnus is providing a patch in another bug that will fix this issue.
|
|
||
Comment 12•6 years ago
|
||
https://hg.mozilla.org/comm-central/rev/9d5235fbda18ee290a2731bb20126a6fda92452f prevent hang with malformed headers. r=jorgk
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 60.0
You need to log in
before you can comment on or make changes to this bug.
Description
•