Closed Bug 1411737 Opened 2 years ago Closed 2 years ago

TBE-01-016: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header

Categories

(MailNews Core :: Attachments, defect, critical)

defect
Not set
critical

Tracking

(thunderbird_esr5257+ fixed, thunderbird57 fixed, thunderbird58 fixed)

RESOLVED FIXED
Thunderbird 58.0
Tracking Status
thunderbird_esr52 57+ fixed
thunderbird57 --- fixed
thunderbird58 --- fixed

People

(Reporter: BenB, Assigned: mkmelin)

References

Details

(Keywords: crash, Whiteboard: TB 57 beta => TB 52.5 ESR )

Attachments

(1 file)

An issue which leads to a crash was attributed to a message with an incorrectly used X- Mozilla-Cloud-Part header being forwarded. Due to a null pointer dereference, Thunderbird exits with a segmentation fault and must be restarted. A relevant Proof of Concept is given in the following code snippet.

PoC.eml
To: test <test@localhost>
From: test
Content-Type: text/plain
X-Mozilla-Cloud-Part: bla

The X-Mozilla-Cloud-Part header can be used for attachments. If the Content-Type of an email is text/plain or text/html, this header leads to a nullpointer being dereferenced.

Affected File:
/mailnews/mime/src/mimedrft.cpp

Affected Code:
if (!bodyAsAttachment)
{
  int64_t fileSize;
  nsCOMPtr<nsIFile> tempFileCopy;
  mdd->messageBody->m_tmpFile->Clone(getter_AddRefs(tempFileCopy));
  mdd->messageBody->m_tmpFile = do_QueryInterface(tempFileCopy);

It is recommended to verify the value of m_tmpFile before using this pointer for operations. Alternatively, this header could be ignored for messages without an attachment.

For the original report as PDF; see bug 1411701.
Not a security bug (null pointer)
Severity: normal → critical
Assignee: nobody → mkmelin+mozilla
Summary: Crash via proprietary X-Mozilla-Cloud-Part Header → Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header
Comment on attachment 8923076 [details] [diff] [review]
bug1411737_invalid_cloud_parth_crash.patch

I assume you tested it with the offending header. Please confirm.
Attachment #8923076 - Flags: review?(jorgk) → review+
Yes, I've tested it. 
On a side note it's kind of a funny behavior when you set this header for the main content and try to forward, the forwarded content is blank. (The header is supposed to be used only for parts).
I'll land this once we're unbusted again.
Keywords: checkin-needed
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/c28b7379ca06
Fix crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part header. r=jorgk CLOSED TREE
Status: NEW → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
I rebased it for you ;-)
Target Milestone: --- → Thunderbird 58.0
Attachment #8923076 - Flags: approval-comm-esr52+
Attachment #8923076 - Flags: approval-comm-beta+
Summary: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header → TBE-01-016: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header
Whiteboard: TB 57 beta => TB 52.5 ESR
You need to log in before you can comment on or make changes to this bug.