Closed Bug 1411745 Opened 2 years ago Closed 2 years ago

TBE-01-020: Crash (Null Pointer Exception) via SVG and Mailbox URI

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed
firefox59 --- fixed

People

(Reporter: BenB, Assigned: mkmelin)

References

Details

(Keywords: crash)

Attachments

(2 files, 1 obsolete file)

In continuation of bug 1411735, loading attachments via the mailbox:/// protocol handler inside an SVG structure in the main body was also tested. It was discovered that a mailbox URI specified in the <use> of an SVG triggers a null pointer exception inside Thunderbird, therefore crashing the application.

It must be noted that this behavior can also be evoked with the imap:// protocol handler. The latter nevertheless requires a number which needs to be brute-forced, so the PoC utilizes the mailbox:/// handler for this reason. The highlighted path needs to be adapted to reflect the location where the PoC is stored.

File:
Svgcrash.eml

Code:
Content-Type: multipart/alternative; boundary="------------
2DEE3F98D70BD2C65FBA7373"
MIME-Version: 1.0
Subject: Link
Message-ID: test@test.com
To: email@email.com
From: email@email.com
Date: Sat, 23 Sep 2017 19:39:17 +0200

--------------2DEE3F98D70BD2C65FBA7373
Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383"

--------------A320A96F6639F3C578F35383
Content-Type: text/html
Content-Transfer-Encoding: 7Bit
Message-ID: test@test.com

<html>
<head>
</head>
<body>
<h1>aaatest</h1>
<svg>
<use xlink:href="mailbox:///tmp/svgcrash.eml?
number=0&part=1.1.2&filename=abcb.svg#svg" height="300" width="300"/>
</svg>
--------------A320A96F6639F3C578F35383

Content-ID: abcd.svg
Content-Type: image/svg+xml
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="abcb.svg"

PHN2ZyB4bWxucz0naHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmcnIGlkPSJzdmciIHhtbG5zOnhsaW5r
PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGNpcmNsZSBzdHlsZT0icG9zaXRpb246IGZp
eGVkOyBib3R0b206IDA7IHJpZ2h0OiAwOyIgcj0iNDAwIiBmaWxsPSJibHVlIiBpZD0iYmlsZCI+Cjwv
Y2lyY2xlPgo8YSBocmVmPSJodHRwOi8vMTkyLjE2OC4wLjUyL2JpbGQuanBnIj4KPGNpcmNsZSByPSIy
MDAiIGZpbGw9InJlZCI+CjwvY2lyY2xlPgo8L2E+CjxpbWFnZSBpZD0ibGVhayIgeGxpbms6aHJlZj0i
Ii8+CjxzZXQgYXR0cmlidXRlTmFtZT0iZmlsbCIgeGxpbms6aHJlZj0iI2JpbGQiIGJlZ2luPSJiaWxk
Lm1vdXNlb3ZlciIgdG89InllbGxvdyIgLz4KPHNldCBhdHRyaWJ1dGVOYW1lPSJ4bGluazpocmVmIiB4
bGluazpocmVmPSIjbGVhayIgYmVnaW49IjNzIiB0bz0iaHR0cDovL2V4YW1wbGUuY29tL2xlYWtTVkdU
QkFBQSIgLz4KPHNldCBhdHRyaWJ1dGVOYW1lPSJ4bGluazpocmVmIiB4bGluazpocmVmPSIjbGVhayIg
YmVnaW49IjBzIiB0bz0iaHR0cDovL2V4YW1wbGUuY29tL2xlYWtTVkdUQkFBQSIgLz4KICAgPGZvcmVp
Z25PYmplY3Qgd2lkdGg9IjEwMCIgaGVpZ2h0PSI1MCIKICAgICAgICAgICAgICAgICAgIHJlcXVpcmVk
RXh0ZW5zaW9ucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+CiAgICAgIDwhLS0gWEhUTUwt
SW5oYWx0IHN0ZWh0IGhpZXIgLS0+CiAgICAgIDxib2R5IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8x
OTk5L3hodG1sIj4KCTxwbGFpbnRleHQ+CiAgICAgICAgPGEgaHJlZj0iQUFBQSIgaWQ9ImhlYWRsaW5l
Ij5IaWVyIGlzdCBlaW4gQWJzYXR6LCB3ZWxjaGVyIGVpbmVuIFplaWxlbnVtYnJ1Y2ggYmVub3RpZ3Qu
PC9hPgoJPHNjcmlwdD5hbGVydCg0NDQpPC9zY3JpcHQ+Cgk8L3BsYWludGV4dD4KICAgICAgPC9ib2R5
PgogICAgPC9mb3JlaWduT2JqZWN0Pgo8L3N2Zz4K

--------------A320A96F6639F3C578F35383--

--------------2DEE3F98D70BD2C65FBA7373--

Exception:
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:51829d46 mov ecx,dword ptr [eax]

It is recommended to check the implementation of the mailbox:/// and imap:/// protocol handlers in order to determine why it causes trouble in the SVG context. This could uncover even more vulnerabilities related to different file formats supported by Thunderbird.

For the original report as PDF; see bug 1411701.

Not a security bug, because null pointer.
Summary: Crash (Null Pointer Exception) via SVG and Mailbox URI → TBE-01-020: Crash (Null Pointer Exception) via SVG and Mailbox URI
I can't reproduce this crash. Not on trunk and not on 52 either. 
We did fix a number of these mailbox:// referencing bugs in the last year. Maybe it was tested with 45?
Anybody able to reproduce the crash?
Attachment #8926057 - Attachment mime type: message/rfc822 → text/plain
Doesn't crash for me. You should, however, join

<svg>
<use xlink:href="mailbox:///tmp/svgcrash.eml?
number=0&part=1.1.2&filename=abcb.svg#svg" height="300" width="300"/>
</svg>
to make it
<svg>
<use xlink:href="mailbox:///tmp/svgcrash.eml?number=0&part=1.1.2&filename=abcb.svg#svg" height="300" width="300"/>
</svg>

No?

The thing is, you should store that message as a stand-alone message in /tmp (which I can't do on Windows) and then open it from the file so the link inside the SVG references the message itself, or its part 1.1.2. Don't open it form a folder.

Have you tried that?
Attachment #8926057 - Attachment is obsolete: true
Attachment #8927567 - Attachment mime type: message/rfc822 → text/plain
It's crashing on null mTargetListener @ https://dxr.mozilla.org/comm-central/rev/cd7217cf05a2332a8fd7b498767a07b2c31ea657/mozilla/dom/base/nsDocument.cpp#1239

mTargetListener is null because catMan->GetCategoryEntry fails
https://dxr.mozilla.org/comm-central/rev/cd7217cf05a2332a8fd7b498767a07b2c31ea657/mozilla/dom/base/nsDocument.cpp#1194

I think the problem is there's a mismatch in the category manager can't find a viewer for the eml, but still data can be loaded...



#0  0x00007fa16723abb5 in nsExternalResourceMap::PendingLoad::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (this=<optimized out>, aRequest=0x7fa1273a3c98, aContext=0x7fa1273a3b48, aStream=0x7fa13d0f8680, aOffset=0, aCount=1474)
    at /home/magnus/Code/comm-central/src/mozilla/dom/base/nsDocument.cpp:1241
#1  0x00007fa165ed8b54 in nsMimeBaseEmitter::Complete() (this=0x7fa137f3f100)
    at /home/magnus/Code/comm-central/src/mailnews/mime/emitters/nsMimeBaseEmitter.cpp:1041
#2  0x00007fa165ed83d0 in nsStreamConverter::OnStopRequest(nsIRequest*, nsISupports*, nsresult) (this=0x7fa13a71b700, request=0x7fa1273a3c98, ctxt=0x7fa1273a3b40, status=nsresult::NS_OK)
    at /home/magnus/Code/comm-central/src/mailnews/mime/src/nsStreamConverter.cpp:1060
#3  0x00007fa165cfce12 in nsMsgProtocol::OnStopRequest(nsIRequest*, nsISupports*, nsresult) (this=this@entry=0x7fa1273a3c90, request=request@entry=0x7fa13b171340, ctxt=ctxt@entry=0x7fa1273a3b40, aStatus=aStatus@entry=nsresult::NS_OK)
    at /home/magnus/Code/comm-central/src/mailnews/base/util/nsMsgProtocol.cpp:391
#4  0x00007fa165e7c473 in nsMailboxProtocol::OnStopRequest(nsIRequest*, nsISupports*, nsresult) (this=0x7fa1273a3c90, request=0x7fa13b171340, ctxt=0x7fa1273a3b40, aStatus=nsresult::NS_OK)
    at /home/magnus/Code/comm-central/src/mailnews/local/src/nsMailboxProtocol.cpp:416
#5  0x00007fa166063c2f in nsInputStreamPump::OnStateStop() (this=this@entry=0x7fa13b171340)
    at /home/magnus/Code/comm-central/src/mozilla/netwerk/base/nsInputStreamPump.cpp:704
#6  0x00007fa16606a12f in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (this=0x7fa13b171340, stream=<optimized out>)
    at /home/magnus/Code/comm-central/src/mozilla/netwerk/base/nsInputStreamPump.cpp:428
#7  0x00007fa165fa82d0 in SlicedInputStream::RunAsyncWaitCallback() (this=0x7fa14c3f7040)
    at /home/magnus/Code/comm-central/src/mozilla/xpcom/io/SlicedInputStream.cpp:341
#8  0x00007fa165fbb324 in nsInputStreamReadyEvent::Run() (this=0x7fa14675a6a0)
    at /home/magnus/Code/comm-central/src/mozilla/xpcom/io/nsStreamUtils.cpp:97
#9  0x00007fa165fded60 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fa163423c10, aMayWait=<optimized out>, aResult=0x7fff61975067)
    at /home/magnus/Code/comm-central/src/mozilla/xpcom/threads/nsThread.cpp:1037
#10 0x00007fa165fe72ba in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0x7fa163423c10, aMayWait=aMayWait@entry=false)
    at /home/magnus/Code/comm-central/src/mozilla/xpcom/threads/nsThreadUtils.cpp:513
#11 0x00007fa1665131b2 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fa163472a40, aDelegate=0x7fa1634bd1c0)
    at /home/magnus/Code/comm-central/src/mozilla/ipc/glue/MessagePump.cpp:97
#12 0x00007fa1664b6391 in MessageLoop::RunInternal() (this=<optimized out>)
    at /home/magnus/Code/comm-central/src/mozilla/ipc/chromium/src/base/message_loop.cc:326
#13 0x00007fa1664b6391 in MessageLoop::RunHandler() (this=<optimized out>)
    at /home/magnus/Code/comm-central/src/mozilla/ipc/chromium/src/base/message_loop.cc:319
#14 0x00007fa1664b6391 in MessageLoop::Run() (this=<optimized out>)
    at /home/magnus/Code/comm-central/src/mozilla/ipc/chromium/src/base/message_loop.cc:299
#15 0x00007fa1684a7f99 in nsBaseAppShell::Run() (this=0x7fa15bef8ac0)
    at /home/magnus/Code/comm-central/src/mozilla/widget/nsBaseAppShell.cpp:158
#16 0x00007fa169abfdb6 in nsAppStartup::Run() (this=0x7fa15bdac290)
    at /home/magnus/Code/comm-central/src/mozilla/toolkit/components/startup/nsAppStartup.cpp:288
#17 0x00007fa169b637ee in XREMain::XRE_mainRun() (this=this@entry=0x7fff61975320)
    at /home/magnus/Code/comm-central/src/mozilla/toolkit/xre/nsAppRunner.cpp:4686
#18 0x00007fa169b6484b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fff61975320, argc=argc@entry=6, argv=argv@entry=0x7fff61976658, aConfig=...)
    at /home/magnus/Code/comm-central/src/mozilla/toolkit/xre/nsAppRunner.cpp:4848
#19 0x00007fa169b64ca2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=6, argv=0x7fff61976658, aConfig=...)
    at /home/magnus/Code/comm-central/src/mozilla/toolkit/xre/nsAppRunner.cpp:4943
#20 0x000055678b1421d2 in do_main(int, char**, char**) (argc=6, argv=0x7fff61976658, envp=<optimized out>)
    at /home/magnus/Code/comm-central/src/mail/app/nsMailApp.cpp:232
#21 0x000055678b141aab in main(int, char**, char**) (argc=6, argv=0x7fff61976658, envp=0x7fff61976690)
    at /home/magnus/Code/comm-central/src/mail/app/nsMailApp.cpp:306
And the type it can't find a viewer for is application/x-unknown-content-type.
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #8933938 - Flags: review?(bugs)
Attachment #8933938 - Flags: review?(bugs) → review+
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2a01f65ec8af
crash for svg linking to mailbox URI. r=smaug
Component: Attachments → DOM
Product: MailNews Core → Core
Version: 57 → Trunk
https://hg.mozilla.org/mozilla-central/rev/2a01f65ec8af
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Please request Beta approval on this when you get a chance. AFAICT, 52 is also affected, but I doubt it meets the criteria for ESR52 uplift. Feel free to nominate it if you feel strongly about it, though.
Flags: needinfo?(mkmelin+mozilla)
Comment on attachment 8933938 [details] [diff] [review]
bug1411745_svg_eml_crash.patch

Approval Request Comment
[User impact if declined]: may crash
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: I don't know of an easy way to reproduce in Firefox. (The case came up in Thunderbird)
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: just preventing a crash
[String changes made/needed]: none
Flags: needinfo?(mkmelin+mozilla)
Attachment #8933938 - Flags: approval-mozilla-beta?
Comment on attachment 8933938 [details] [diff] [review]
bug1411745_svg_eml_crash.patch

Avoid a crash. Beta58+.
Attachment #8933938 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Jörg, we should take this on our 52 branch. Using needinfo since there's no comm-approval in this component.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.