Closed Bug 140133 Opened 18 years ago Closed 18 years ago

Stack overrun in nsMsgi18n.cpp

Categories

(Core :: Security, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla1.0

People

(Reporter: security-bugs, Assigned: security-bugs)

Details

(Keywords: topembed, Whiteboard: [adt1] [ETA 04/26])

Attachments

(1 file)

http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgI18N.cpp
545   static char charset[kMAX_CSNAME+1]; 
546   char buffer[512]; 
...
580       token = nsCRT::strtok(cp, seps, &newStr); 
581       if (token != NULL) 
582       { 
583         PL_strcpy(charset, token); 
584       } 

as you may see this is a classical stack overrun.
An exploit path I have so found is the following - attach char.html to html
new html message and send it - actual result crash.
Definitely exploitable - charset is on the stack - the easiest buffer
overflow.
(gdb) frame 3
Cannot access memory at address 0x47474747
(gdb)
Status: NEW → ASSIGNED
Keywords: nsbeta1
Whiteboard: patch, edt, adt, topembed
Target Milestone: --- → mozilla1.0
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

r=nhotta
Attachment #81027 - Flags: review+
Keywords: adt1.0.0
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Attachment #81027 - Flags: approval+
Attachment #81027 - Flags: approval+ → superreview+
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

sr=heikki
adding adt1.0.0+.  Please check this in as soon as possible after getting
drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Keywords: nsbeta1nsbeta1+, patch, topembed
Whiteboard: patch, edt, adt, topembed → [adt1] [ETA 04/26]
Mitch, could you check this into the branch today and mark this fixed1.0.0?
Fixed, on trunk and 1.0 branch.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED
Verified on 2002-04-30-trunk on WinNT.

Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED
Verified on 2002-04-30-branch on WinNT.

Marking verified as per developer comments.
Group: security?
You need to log in before you can comment on or make changes to this bug.