Closed Bug 1546056 Opened 9 months ago Closed 9 months ago
Possible Out-of-bounds access in mork
Comment on attachment 9059766 [details] [diff] [review] 1546056-fix-potential-morkwriter-bufferoverrun.patch Thanks. It appears that the length of the `groupID` is limited by `morkWriter_kGroupBufSize`, but then there is code that checks it separately: ``` mork_fill idFill = ev->TokenAsHex(p, groupID); mWriter_GroupBufFill = 0; // ev->TokenAsHex(mWriter_GroupBuf, groupID); if ( idFill < morkWriter_kGroupBufSize ) ``` By that time, we've already written to `buf` via `p`, hmm.
Attachment #9059766 - Flags: review?(jorgk) → review+
Component: General → Database
Product: Thunderbird → MailNews Core
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 68.0
You need to log in before you can comment on or make changes to this bug.