Closed Bug 140133 Opened 23 years ago Closed 23 years ago

Stack overrun in nsMsgi18n.cpp

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: security-bugs, Assigned: security-bugs)

Details

(Keywords: topembed, Whiteboard: [adt1] [ETA 04/26])

Attachments

(1 file)

Patch - add bounds checking and null-termination
1022 bytes, patch
nhottanscp
: review+
hjtoi-bugzilla
: superreview+
Details | Diff | Splinter Review
http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgI18N.cpp 545 static char charset[kMAX_CSNAME+1]; 546 char buffer[512]; ... 580 token = nsCRT::strtok(cp, seps, &newStr); 581 if (token != NULL) 582 { 583 PL_strcpy(charset, token); 584 } as you may see this is a classical stack overrun. An exploit path I have so found is the following - attach char.html to html new html message and send it - actual result crash. Definitely exploitable - charset is on the stack - the easiest buffer overflow. (gdb) frame 3 Cannot access memory at address 0x47474747 (gdb)
Status: NEW → ASSIGNED
Keywords: nsbeta1
Whiteboard: patch, edt, adt, topembed
Target Milestone: --- → mozilla1.0
Comment on attachment 81027 [details] [diff] [review] Patch - add bounds checking and null-termination r=nhotta
Attachment #81027 - Flags: review+
Keywords: adt1.0.0
Comment on attachment 81027 [details] [diff] [review] Patch - add bounds checking and null-termination a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Attachment #81027 - Flags: approval+
Attachment #81027 - Flags: approval+ → superreview+
Comment on attachment 81027 [details] [diff] [review] Patch - add bounds checking and null-termination sr=heikki
adding adt1.0.0+. Please check this in as soon as possible after getting drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Keywords: nsbeta1nsbeta1+, patch, topembed
Whiteboard: patch, edt, adt, topembed → [adt1] [ETA 04/26]
Mitch, could you check this into the branch today and mark this fixed1.0.0?
Fixed, on trunk and 1.0 branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED
Verified on 2002-04-30-trunk on WinNT. Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED
Verified on 2002-04-30-branch on WinNT. Marking verified as per developer comments.
Keywords: fixed1.0.0verified1.0.0
Group: security?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: