The default bug view has changed. See this FAQ.

Stack overrun in nsMsgi18n.cpp

VERIFIED FIXED in mozilla1.0

Status

()

Core
Security
VERIFIED FIXED
15 years ago
15 years ago

People

(Reporter: Mitchell Stoltz (not reading bugmail), Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

({topembed})

Trunk
mozilla1.0
topembed
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt1] [ETA 04/26])

Attachments

(1 attachment)

1022 bytes, patch
nhottanscp
: review+
Heikki Toivonen (remove -bugzilla when emailing directly)
: superreview+
Details | Diff | Splinter Review
http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgI18N.cpp
545   static char charset[kMAX_CSNAME+1]; 
546   char buffer[512]; 
...
580       token = nsCRT::strtok(cp, seps, &newStr); 
581       if (token != NULL) 
582       { 
583         PL_strcpy(charset, token); 
584       } 

as you may see this is a classical stack overrun.
An exploit path I have so found is the following - attach char.html to html
new html message and send it - actual result crash.
Definitely exploitable - charset is on the stack - the easiest buffer
overflow.
(gdb) frame 3
Cannot access memory at address 0x47474747
(gdb)
(Assignee)

Comment 1

15 years ago
Created attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination
(Assignee)

Updated

15 years ago
Status: NEW → ASSIGNED
Keywords: nsbeta1
Whiteboard: patch, edt, adt, topembed
Target Milestone: --- → mozilla1.0

Comment 2

15 years ago
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

r=nhotta
Attachment #81027 - Flags: review+
(Assignee)

Updated

15 years ago
Keywords: adt1.0.0

Comment 3

15 years ago
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

a=asa (on behalf of drivers) for checkin to the 1.0 branch.
Attachment #81027 - Flags: approval+
Attachment #81027 - Flags: approval+ → superreview+
Comment on attachment 81027 [details] [diff] [review]
Patch - add bounds checking and null-termination

sr=heikki

Comment 5

15 years ago
adding adt1.0.0+.  Please check this in as soon as possible after getting
drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0 → adt1.0.0+

Updated

15 years ago
Keywords: nsbeta1 → nsbeta1+, patch, topembed
Whiteboard: patch, edt, adt, topembed → [adt1] [ETA 04/26]

Comment 6

15 years ago
Mitch, could you check this into the branch today and mark this fixed1.0.0?
(Assignee)

Comment 7

15 years ago
Fixed, on trunk and 1.0 branch.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED

Comment 8

15 years ago
Verified on 2002-04-30-trunk on WinNT.

Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED

Comment 9

15 years ago
Verified on 2002-04-30-branch on WinNT.

Marking verified as per developer comments.
Keywords: fixed1.0.0 → verified1.0.0
(Assignee)

Updated

15 years ago
Group: security?
You need to log in before you can comment on or make changes to this bug.