Closed
Bug 249675
Opened 21 years ago
Closed 21 years ago
IMAP parser: multi-line quoted strings can crash mozilla
Categories
(MailNews Core :: Networking: IMAP, defect)
MailNews Core
Networking: IMAP
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: engel, Assigned: engel)
References
Details
(Keywords: crash)
Attachments
(2 files)
|
2.81 KB,
patch
|
Bienvenu
:
review+
dmosedale
:
superreview+
|
Details | Diff | Splinter Review |
|
1.25 KB,
application/x-perl
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040622
Build Identifier:
In |nsIMAPGenericParser::CreateQuoted|, quoted strings which stretch over
several lines (e.g. "multi-\r\nline") are not handled correctly. This leads to
illegal pointers in |nsIMAPGenericParser| and eventually to a crash.
Note that such quoted strings, containing CR or LF, violate the IMAP standard.
Reproducible: Always
Steps to Reproduce:
|
Assignee | |
Comment 1•21 years ago
|
||
In |CreateQuoted()|, when the end of the quoted string is found, the offsets of
the current-line strings used for parsing must be adjusted. The current code
uses |returnString.Length()| as offset. However, |returnString| could result as
a concatenation of several input lines. This offset is then used on the current
line, which might be much shorter. Consequently, |fCurrentTokenPlaceHolder|
might be shifted to invalid memory regions! Moreover,
|*fCurrentTokenPlaceHolder| will be accessed (and possibly overwritten) just in
the following line.
The memory error occurs in
500 fCurrentTokenPlaceHolder += escapeCharsCut + charIndex + 1 -
strlen(fNextToken);
501 if (!*fCurrentTokenPlaceHolder)
Keywords: crash
|
|
Assignee | |
Comment 2•21 years ago
|
||
Testing nsIMAPGenericParser with a multi-line quoted string leads to a segfault,
as expected.
|
|
Assignee | |
Comment 3•21 years ago
|
||
Are there IMAP servers which return LFs in quoted strings (violating the
standards)? If so, we should fix the code which adjusts the tokenizer offsets
in |CreateQuoted()|. Otherwise, we should enforce the IMAP standard for strings
containing LFs and flagging a syntax error.
|
|
Assignee | |
Comment 4•21 years ago
|
||
|
|
Assignee | |
Updated•21 years ago
|
Attachment #152243 -
Flags: superreview?(mscott)
Attachment #152243 -
Flags: review?(bienvenu)
|
|
Assignee | |
Comment 5•21 years ago
|
||
Run this perl script, then create mozilla IMAP account on localhost, port 14343
(any username/password).
Trying to read mail from this account then _crashes_ mozilla. This is due to
this bug and because the perl script sends multi-line quoted strings to
mozilla.
|
||
Comment 6•21 years ago
|
||
Confirming, since it has a patch and a well-filed bug.
|
|
||
Comment 7•21 years ago
|
||
Confirming, since it has a patch and a well-filed bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Updated•21 years ago
|
Assignee: bienvenu → Hans-A.Engel
|
|
Assignee | |
Updated•21 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•21 years ago
|
Severity: normal → critical
|
|
Assignee | |
Updated•21 years ago
|
Attachment #152243 -
Flags: superreview?(mscott) → superreview?(dmose)
|
||
Updated•21 years ago
|
Product: MailNews → Core
|
||
Comment 8•21 years ago
|
||
Comment on attachment 152243 [details] [diff] [review]
fix: flagging a syntax error for quoted strings containing CRLF
thx, Hans, sorry for the delay...
Attachment #152243 -
Flags: review?(bienvenu) → review+
|
||
Comment 9•21 years ago
|
||
Comment on attachment 152243 [details] [diff] [review]
fix: flagging a syntax error for quoted strings containing CRLF
sr=dmose
Attachment #152243 -
Flags: superreview?(dmose) → superreview+
timeless landed this:
Bug 249675 IMAP parser: multi-line quoted strings can crash mozilla
patch by Hans-A.Engel@unibas.ch r=bienvenu sr=dmose
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•