Closed Bug 158334 Opened 22 years ago Closed 22 years ago

Random crash after doing a forward inline

Categories

(MailNews Core :: MIME, defect, P1)

Tracking

(Not tracked)

VERIFIED FIXED
mozilla1.1beta

People

(Reporter: bugzilla, Assigned: bugzilla)

References

Details

(Keywords: crash, Whiteboard: [adt2 RTM] [ETA 07/23])

Attachments

(1 file)

When doing forward inline of a message with another message attached in it, the
memory get corrupted which lead to random crash. This problem is very easy to
reproduce under MacOS X after you have applied the patch for bug 156958.

Step to reproduce the problem:
1) Send a message to yourself (I personnaly encrypt & sign it but I don't know
if it's matter)
2) Get the message and forward it as attachment
3 [details] [diff] [review]) Get the forwarded message and forward it inline
==> You might crash at any time now, if not, repeat step 3 couple times...
The crash occurs in the MacMemory Allocator code while freeing memory, but the
stack trace is not always the same. This is cause by a memory corruption which
destroy the information (especially the size) of a block which is just in front
of the memory block itself. Either the Mac Memory Allocator code crash right
away when the corrupted block is freed (in Block_Link) or the Mac Memory
Allocator will owerwrite another section of the memory which could cause
catastrophic result.

So far I have seen the crash only on Mac but the initial memory corruption exist
on all platform. Here is the offending code that cause the initial memory
corruption:

mimedrft.cpp, line 1836
     PL_strcat(newAttachment->real_name, ".eml");

The problem is that newAttachment->real_name pointer is the size of the string
it hold. Therefore when PL_strcat appends ".eml" to it, the next block in memory
get overwritten.

This potential crash exist since June 15, 2001 (this is caused by fix for bug 75449)
Severity: normal → major
Status: NEW → ASSIGNED
Keywords: crash, nsbeta1
Priority: -- → P1
Target Milestone: --- → mozilla1.1beta
Attached patch Proposed fix, v1Splinter Review
PR_smprintf will take care or allocating the needed memory
Comment on attachment 91965 [details] [diff] [review]
Proposed fix, v1

r=varada
Attachment #91965 - Flags: review+
Comment on attachment 91965 [details] [diff] [review]
Proposed fix, v1

sr=bienvenu
Attachment #91965 - Flags: superreview+
Nice catch. Just goes to show that strcat and friends are evil.
Comment on attachment 91965 [details] [diff] [review]
Proposed fix, v1

a=scc for checkin to the mozilla trunk
Attachment #91965 - Flags: approval+
QA Contact: gayatri → meehansqa
Blocks: 143047
Whiteboard: [adt2 RTM] [ETA 07/20]
adt1.0.1 (on ADT's behalf) approval for checkin to the 1.0 branch, pending
drivers' approval. pls check this in asap, then replace "mozilla1.0.1+" with
"fixed1.0.1". thanks!
Keywords: adt1.0.1adt1.0.1+
Fix checked in the trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
a=chofmann for the branch
marking as "mozilla1.0.1+" per Comment #9 From chris hofmann.
Fix checked in the branch
marking as fixed1.0.1 per Comment #11 From Jean-Francois Ducarroz.
Whiteboard: [adt2 RTM] [ETA 07/20] → [adt2 RTM] [ETA 07/23]
Verified this bug using 20020723 branch build on MacOSX (platform reported on)
as well as Mac9.1 and Win2K. To verify this test, I repeated reporter's step 3
ten times, and no crash. Performed as expected.
Marking as VERIFIED
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: