Last Comment Bug 140133 - Stack overrun in nsMsgi18n.cpp
: Stack overrun in nsMsgi18n.cpp
Status: VERIFIED FIXED
[adt1] [ETA 04/26]
: topembed
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla1.0
Assigned To: Mitchell Stoltz (not reading bugmail)
: bsharma
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-25 13:30 PDT by Mitchell Stoltz (not reading bugmail)
Modified: 2002-09-05 16:26 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch - add bounds checking and null-termination (1022 bytes, patch)
2002-04-25 13:31 PDT, Mitchell Stoltz (not reading bugmail)
nhottanscp: review+
hjtoi-bugzilla: superreview+
Details | Diff | Splinter Review

Description Mitchell Stoltz (not reading bugmail) 2002-04-25 13:30:14 PDT
http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgI18N.cpp
545   static char charset[kMAX_CSNAME+1]; 
546   char buffer[512]; 
...
580       token = nsCRT::strtok(cp, seps, &newStr); 
581       if (token != NULL) 
582       { 
583         PL_strcpy(charset, token); 
584       } 

as you may see this is a classical stack overrun.
An exploit path I have so found is the following - attach char.html to html
new html message and send it - actual result crash.
Definitely exploitable - charset is on the stack - the easiest buffer
overflow.
(gdb) frame 3
Cannot access memory at address 0x47474747
(gdb)
Comment 1 Mitchell Stoltz (not reading bugmail) 2002-04-25 13:31:33 PDT
Created attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination
Comment 2 nhottanscp 2002-04-25 13:35:46 PDT
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

r=nhotta
Comment 3 Asa Dotzler [:asa] 2002-04-25 14:58:05 PDT
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Comment 4 Heikki Toivonen (remove -bugzilla when emailing directly) 2002-04-25 14:58:16 PDT
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

sr=heikki
Comment 5 scottputterman 2002-04-25 16:29:16 PDT
adding adt1.0.0+.  Please check this in as soon as possible after getting
drivers approval and add the fixed1.0.0 keyword.
Comment 6 scottputterman 2002-04-29 17:19:38 PDT
Mitch, could you check this into the branch today and mark this fixed1.0.0?
Comment 7 Mitchell Stoltz (not reading bugmail) 2002-04-30 12:31:52 PDT
Fixed, on trunk and 1.0 branch.
Comment 8 bsharma 2002-04-30 13:19:17 PDT
Verified on 2002-04-30-trunk on WinNT.

Marking verified as per above developer comments.
Comment 9 bsharma 2002-04-30 13:21:37 PDT
Verified on 2002-04-30-branch on WinNT.

Marking verified as per developer comments.

Note You need to log in before you can comment on or make changes to this bug.