Stack overrun in nsMsgi18n.cpp

VERIFIED FIXED in mozilla1.0

Status

()

Core
Security
VERIFIED FIXED
15 years ago
15 years ago

People

(Reporter: Mitchell Stoltz (not reading bugmail), Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

({topembed})

Trunk
mozilla1.0
topembed
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt1] [ETA 04/26])

Attachments

(1 attachment)

1022 bytes, patch
nhottanscp
: review+
Heikki Toivonen (remove -bugzilla when emailing directly)
: superreview+
Details | Diff | Splinter Review
http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgI18N.cpp
545   static char charset[kMAX_CSNAME+1]; 
546   char buffer[512]; 
...
580       token = nsCRT::strtok(cp, seps, &newStr); 
581       if (token != NULL) 
582       { 
583         PL_strcpy(charset, token); 
584       } 

as you may see this is a classical stack overrun.
An exploit path I have so found is the following - attach char.html to html
new html message and send it - actual result crash.
Definitely exploitable - charset is on the stack - the easiest buffer
overflow.
(gdb) frame 3
Cannot access memory at address 0x47474747
(gdb)
(Assignee)

Comment 1

15 years ago
Created attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination
(Assignee)

Updated

15 years ago
Status: NEW → ASSIGNED
Keywords: nsbeta1
Whiteboard: patch, edt, adt, topembed
Target Milestone: --- → mozilla1.0

Comment 2

15 years ago
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

r=nhotta
Attachment #81027 - Flags: review+
(Assignee)

Updated

15 years ago
Keywords: adt1.0.0

Comment 3

15 years ago
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Attachment #81027 - Flags: approval+
Attachment #81027 - Flags: approval+ → superreview+
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

sr=heikki

Comment 5

15 years ago
adding adt1.0.0+.  Please check this in as soon as possible after getting
drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0 → adt1.0.0+

Updated

15 years ago
Keywords: nsbeta1 → nsbeta1+, patch, topembed
Whiteboard: patch, edt, adt, topembed → [adt1] [ETA 04/26]

Comment 6

15 years ago
Mitch, could you check this into the branch today and mark this fixed1.0.0?
(Assignee)

Comment 7

15 years ago
Fixed, on trunk and 1.0 branch.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED

Comment 8

15 years ago
Verified on 2002-04-30-trunk on WinNT.

Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED

Comment 9

15 years ago
Verified on 2002-04-30-branch on WinNT.

Marking verified as per developer comments.
Keywords: fixed1.0.0 → verified1.0.0
(Assignee)

Updated

15 years ago
Group: security?
You need to log in before you can comment on or make changes to this bug.