Closed
Bug 1411737
Opened 7 years ago
Closed 7 years ago
TBE-01-016: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header
Categories
(MailNews Core :: Attachments, defect)
Tracking
(thunderbird_esr5257+ fixed, thunderbird57 fixed, thunderbird58 fixed)
RESOLVED
FIXED
Thunderbird 58.0
People
(Reporter: BenB, Assigned: mkmelin)
Details
(Keywords: crash, Whiteboard: TB 57 beta => TB 52.5 ESR )
Attachments
(1 file)
1.14 KB,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-beta+
jorgk-bmo
:
approval-comm-esr52+
|
Details | Diff | Splinter Review |
An issue which leads to a crash was attributed to a message with an incorrectly used X- Mozilla-Cloud-Part header being forwarded. Due to a null pointer dereference, Thunderbird exits with a segmentation fault and must be restarted. A relevant Proof of Concept is given in the following code snippet. PoC.eml To: test <test@localhost> From: test Content-Type: text/plain X-Mozilla-Cloud-Part: bla The X-Mozilla-Cloud-Part header can be used for attachments. If the Content-Type of an email is text/plain or text/html, this header leads to a nullpointer being dereferenced. Affected File: /mailnews/mime/src/mimedrft.cpp Affected Code: if (!bodyAsAttachment) { int64_t fileSize; nsCOMPtr<nsIFile> tempFileCopy; mdd->messageBody->m_tmpFile->Clone(getter_AddRefs(tempFileCopy)); mdd->messageBody->m_tmpFile = do_QueryInterface(tempFileCopy); It is recommended to verify the value of m_tmpFile before using this pointer for operations. Alternatively, this header could be ignored for messages without an attachment. For the original report as PDF; see bug 1411701.
Reporter | ||
Comment 1•7 years ago
|
||
Not a security bug (null pointer)
Reporter | ||
Updated•7 years ago
|
Severity: normal → critical
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → mkmelin+mozilla
Summary: Crash via proprietary X-Mozilla-Cloud-Part Header → Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header
Assignee | ||
Comment 2•7 years ago
|
||
Attachment #8923076 -
Flags: review?(jorgk)
Comment 3•7 years ago
|
||
Comment on attachment 8923076 [details] [diff] [review] bug1411737_invalid_cloud_parth_crash.patch I assume you tested it with the offending header. Please confirm.
Attachment #8923076 -
Flags: review?(jorgk) → review+
Assignee | ||
Comment 4•7 years ago
|
||
Yes, I've tested it. On a side note it's kind of a funny behavior when you set this header for the main content and try to forward, the forwarded content is blank. (The header is supposed to be used only for parts).
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/c28b7379ca06 Fix crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part header. r=jorgk CLOSED TREE
Comment 7•7 years ago
|
||
I rebased it for you ;-)
status-thunderbird52:
--- → affected
status-thunderbird57:
--- → affected
status-thunderbird58:
--- → fixed
Target Milestone: --- → Thunderbird 58.0
Updated•7 years ago
|
Attachment #8923076 -
Flags: approval-comm-esr52+
Attachment #8923076 -
Flags: approval-comm-beta+
Updated•7 years ago
|
Summary: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header → TBE-01-016: Crash when forwarding message with non-existent file in X-Mozilla-Cloud-Part Header
Comment 8•7 years ago
|
||
Beta (TB 57): https://hg.mozilla.org/releases/comm-beta/rev/2f70371c31db73e1028abc877d08a8883e8844c0
Updated•7 years ago
|
Whiteboard: TB 57 beta => TB 52.5 ESR
Comment 9•7 years ago
|
||
TB 52.5 ESR (should be tracking 57+): https://hg.mozilla.org/releases/comm-esr52/rev/bcccf1c02567
Updated•7 years ago
|
status-thunderbird52:
fixed → ---
status-thunderbird_esr52:
--- → fixed
Updated•7 years ago
|
tracking-thunderbird_esr52:
--- → 57+
You need to log in
before you can comment on or make changes to this bug.
Description
•