Closed Bug 2001729 Opened 5 months ago Closed 29 days ago

Crash in [@ memcpy | nsCharTraits<T>::copy] via nsParseMailMessageState::FinalizeHeaders

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Version:
Thunderbird 136
Type:
defect

Tracking

(thunderbird_esr140 affected, thunderbird150 affected)

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
thunderbird_esr140 --- affected
thunderbird150 --- affected

People

(Reporter: wsmwk, Assigned: welpy-cw)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, topcrash-thunderbird)

Crash Data

Attachments

(1 file)

Bug 2001729 - Fix UAF and state machine trap in nsParseMailMessageState. r=BenC,#thunderbird-back-end-reviewers
48 bytes, text/x-phabricator-request
Details | Review

~ #13 ranked for 140.5.0esr by combined crash count.

Continues in version 140 and newer, after fix in Bug 1954381 - Crash in [@ memcpy | nsCharTraits<T>::copy] via nsParseMailMessageState::FinalizeHeaders

Crash report: https://crash-stats.mozilla.org/report/index/47ba52b8-6641-41c8-9b92-24cd30251121 140.5.0esr

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  VCRUNTIME140.dll  memcpy()  D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm:304
1  xul.dll  nsCharTraits<char>::copy(char*, char const*, unsigned long long)  xpcom/string/nsCharTraits.h:315
1  xul.dll  nsTSubstring<char>::Append(char const*, unsigned long long, std::nothrow_t co...  xpcom/string/nsTSubstring.cpp:861
2  xul.dll  nsTSubstring<char>::Append(char const*, unsigned long long)  xpcom/string/nsTSubstring.cpp:814
3  xul.dll  nsParseMailMessageState::FinalizeHeaders::<lambda_0>::operator()(nsTArray<Hea...  mailnews/local/src/nsParseMailbox.cpp:850
3  xul.dll  nsParseMailMessageState::FinalizeHeaders()  mailnews/local/src/nsParseMailbox.cpp:858
4  xul.dll  nsParseMailMessageState::ParseFolderLine(char const*, unsigned int)  mailnews/local/src/nsParseMailbox.cpp:468
5  xul.dll  nsParseMailMessageState::ParseAFolderLine(char const*, unsigned int)  mailnews/local/src/nsParseMailbox.cpp:453
6  xul.dll  StoreIndexer::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long lon...  mailnews/local/src/StoreIndexer.cpp:181
7  xul.dll  nsInputStreamPump::OnStateTransfer()  netwerk/base/nsInputStreamPump.cpp:585

https://crash-stats.mozilla.org/report/index/d2e2c384-1410-4e53-a3a9-50b030251121 145.0

--

Crash report: https://crash-stats.mozilla.org/report/index/1c981e88-ef43-4928-ab34-09ddd0251121 140.5.0esr

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  VCRUNTIME140.dll  memcpy_avx_ermsb_Intel()  D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\Intel\memcpy_avx_ermsb_aligned.asm:231
1  xul.dll  nsCharTraits<char>::copy(char*, char const*, unsigned long long)  xpcom/string/nsCharTraits.h:315
1  xul.dll  nsTSubstring<char>::Append(char const*, unsigned long long, std::nothrow_t co...  xpcom/string/nsTSubstring.cpp:861
2  xul.dll  nsTSubstring<char>::Append(char const*, unsigned long long)  xpcom/string/nsTSubstring.cpp:814
3  xul.dll  nsParseMailMessageState::FinalizeHeaders::<lambda_0>::operator()(nsTArray<Hea...  mailnews/local/src/nsParseMailbox.cpp:850
3  xul.dll  nsParseMailMessageState::FinalizeHeaders()  mailnews/local/src/nsParseMailbox.cpp:858
4  xul.dll  nsParseMailMessageState::ParseFolderLine(char const*, unsigned int)  mailnews/local/src/nsParseMailbox.cpp:468
5  xul.dll  nsParseMailMessageState::ParseAFolderLine(char const*, unsigned int)  mailnews/local/src/nsParseMailbox.cpp:453
6  xul.dll  StoreIndexer::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long lon...  mailnews/local/src/StoreIndexer.cpp:181
7  xul.dll  nsInputStreamPump::OnStateTransfer()  netwerk/base/nsInputStreamPump.cpp:585

https://crash-stats.mozilla.org/report/index/b56e20d0-6569-4f3a-876a-a323d0251121 145.0

Version: unspecified → Thunderbird 136

This patch resolves an intermittent crash and mailbox index corruption
issue within the local mailbox parser caused by transient database failures.

  • State Machine Fix: Ensure the parser always transitions to
    nsIMsgParseMailMsgState::ParseBodyState when an empty line is
    encountered. Previously, an early return via NS_ENSURE_SUCCESS
    on database failure trapped the parser in ParseHeadersState,
    causing it to buffer the entire email body into m_headers.
    This forced a reallocation that left m_toList/m_ccList with
    dangling pointers, leading to a UAF on the next pass.
  • Offset Synchronization: Utilized mozilla::MakeScopeExit to guarantee
    m_position is updated with lineLength regardless of early returns,
    preventing index desynchronization.
  • Strict Validation Trap: Removed the NS_ERROR_UNEXPECTED return
    for missing trailing newlines (introduced in Bug 1250723). Replaced
    it with MsgLogToConsole4 to warn the user without aborting the
    parse and destroying the mailbox index.
  • Performance: Preallocated 16KB for the m_headers vector via reserve()
    to eliminate geometric growth overhead during normal header parsing.
Assignee: nobody → h.w.forms
Status: NEW → ASSIGNED
Severity: -- → S3
Crash Signature: [@ memcpy | nsCharTraits<T>::copy ] [@ memcpy_avx_ermsb_Intel | nsCharTraits<T>::copy ] → [@ memcpy | nsCharTraits<T>::copy ] [@ memcpy_avx_ermsb_Intel | nsCharTraits<T>::copy ] [@ memcpy_avx_ermsb_amd | nsCharTraits<T>::copy ] [@ nsCharTraits<T>::copy ] [@ memcpy_sse2_ermsb_Intel | nsCharTraits<T>::copy ] [@ memcpy_repmovs_Intel | nsChar…
status-thunderbird145: affected → ---
status-thunderbird150: --- → affected
Keywords: checkin-needed-tb
Target Milestone: --- → 151 Branch

Pushed by benc@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/787dbdebdf19
Fix UAF and state machine trap in nsParseMailMessageState. r=BenC

Status: ASSIGNED → RESOLVED
Closed: 29 days ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
Blocks: 1907773
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: