Closed
Bug 249675
Opened 20 years ago
Closed 20 years ago
IMAP parser: multi-line quoted strings can crash mozilla
Categories
(MailNews Core :: Networking: IMAP, defect)
MailNews Core
Networking: IMAP
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: engel, Assigned: engel)
References
Details
(Keywords: crash)
Attachments
(2 files)
2.81 KB,
patch
|
Bienvenu
:
review+
dmosedale
:
superreview+
|
Details | Diff | Splinter Review |
1.25 KB,
application/x-perl
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040622 Build Identifier: In |nsIMAPGenericParser::CreateQuoted|, quoted strings which stretch over several lines (e.g. "multi-\r\nline") are not handled correctly. This leads to illegal pointers in |nsIMAPGenericParser| and eventually to a crash. Note that such quoted strings, containing CR or LF, violate the IMAP standard. Reproducible: Always Steps to Reproduce:
Assignee | ||
Comment 1•20 years ago
|
||
In |CreateQuoted()|, when the end of the quoted string is found, the offsets of the current-line strings used for parsing must be adjusted. The current code uses |returnString.Length()| as offset. However, |returnString| could result as a concatenation of several input lines. This offset is then used on the current line, which might be much shorter. Consequently, |fCurrentTokenPlaceHolder| might be shifted to invalid memory regions! Moreover, |*fCurrentTokenPlaceHolder| will be accessed (and possibly overwritten) just in the following line. The memory error occurs in 500 fCurrentTokenPlaceHolder += escapeCharsCut + charIndex + 1 - strlen(fNextToken); 501 if (!*fCurrentTokenPlaceHolder)
Keywords: crash
Assignee | ||
Comment 2•20 years ago
|
||
Testing nsIMAPGenericParser with a multi-line quoted string leads to a segfault, as expected.
Assignee | ||
Comment 3•20 years ago
|
||
Are there IMAP servers which return LFs in quoted strings (violating the standards)? If so, we should fix the code which adjusts the tokenizer offsets in |CreateQuoted()|. Otherwise, we should enforce the IMAP standard for strings containing LFs and flagging a syntax error.
Assignee | ||
Comment 4•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #152243 -
Flags: superreview?(mscott)
Attachment #152243 -
Flags: review?(bienvenu)
Assignee | ||
Comment 5•20 years ago
|
||
Run this perl script, then create mozilla IMAP account on localhost, port 14343 (any username/password). Trying to read mail from this account then _crashes_ mozilla. This is due to this bug and because the perl script sends multi-line quoted strings to mozilla.
Comment 6•20 years ago
|
||
Confirming, since it has a patch and a well-filed bug.
Comment 7•20 years ago
|
||
Confirming, since it has a patch and a well-filed bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•20 years ago
|
Assignee: bienvenu → Hans-A.Engel
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Updated•20 years ago
|
Severity: normal → critical
Assignee | ||
Updated•20 years ago
|
Attachment #152243 -
Flags: superreview?(mscott) → superreview?(dmose)
Updated•20 years ago
|
Product: MailNews → Core
Comment 8•20 years ago
|
||
Comment on attachment 152243 [details] [diff] [review] fix: flagging a syntax error for quoted strings containing CRLF thx, Hans, sorry for the delay...
Attachment #152243 -
Flags: review?(bienvenu) → review+
Comment 9•20 years ago
|
||
Comment on attachment 152243 [details] [diff] [review] fix: flagging a syntax error for quoted strings containing CRLF sr=dmose
Attachment #152243 -
Flags: superreview?(dmose) → superreview+
timeless landed this: Bug 249675 IMAP parser: multi-line quoted strings can crash mozilla patch by Hans-A.Engel@unibas.ch r=bienvenu sr=dmose
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•