Closed Bug 265062 Opened 20 years ago Closed 20 years ago

Thunderbird crashes if the email contains a mailbox:// URL

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird0.9

People

(Reporter: kousik, Assigned: mscott)

Details

(Whiteboard: [sg:dos])

Attachments

(1 file)

the fix, check for error if the mailbox url is bogus and has no path
719 bytes, patch
Bienvenu
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla Thunderbird 0.8 (X11/20040913)

If a PLAINTEXT mail contains an URL like mailbox:// then thunderbird 0.8
crashes. This happens even if the url is quoted. 


Reproducible: Always
Steps to Reproduce:
1. Save the following in a file.


> ------------------------------------------------------------------------
> *This message exceeded the Maximum Message Size set in Preferences, so 
> we have only downloaded the first few lines from the mail server.*
> 
> *Click here 
>
<mailbox://pph@popmailserver/Lists/masala?number=60065895&messageid=008401c4b5cc%24722994a0%24f7846840%40xxxx.example.com&uidl=1069866757.37599>

> to download the rest of the message.*
> 



2. Then mail this file.

cat /tmp/killtbird | mail user@example.com

3. The 'user' will open the mail in thunderbird, and her application will crash.

Actual Results:  
Thunderbird opening the mail will crash.

Expected Results:  
At least, not crash.

Dos Attack. The workaround is, if you *know* this message will crash, then you
can right-click and delete it without preview.
stack trace coming up
Status: NEW → ASSIGNED
Stack trace:

nsCOMPtr<nsIFileSpec>::operator->() line 711 + 34 bytes
nsPop3Service::NewURI(nsPop3Service * const 0x030b6634, const nsACString &
{...}, const char * 0x00000000, nsIURI * 0x00000000, nsIURI * * 0x0012ee30) line
316 + 15 bytes
nsMailboxService::NewURI(nsMailboxService * const 0x0313c9ac, const nsACString &
{...}, const char * 0x00000000, nsIURI * 0x00000000, nsIURI * * 0x0012ee30) line
477 + 48 bytes
nsIOService::NewURI(nsIOService * const 0x00b4c598, const nsACString & {...},
const char * 0x00000000, nsIURI * 0x00000000, nsIURI * * 0x0012ee30) line 421 +
39 bytes
mozTXTToHTMLConv::CheckURLAndCreateHTML(const nsString & {...}, const nsString &
{...}, mozTXTToHTMLConv::modetype RFC2396E, nsString & {...}) line 431 + 70 bytes
mozTXTToHTMLConv::FindURL(const unsigned short * 0x03e0b268, int 146, const
unsigned int 8, const unsigned int 14, nsString & {...}, int & 0, int & 34) line
547 + 48 bytes
mozTXTToHTMLConv::ScanTXT(const unsigned short * 0x03e0b268, int 146, unsigned
int 14, nsString & {...}) line 1179 + 48 bytes
mozTXTToHTMLConv::ScanTXT(mozTXTToHTMLConv * const 0x03d1cf70, const unsigned
short * 0x03e0b268, unsigned int 14, unsigned short * * 0x0012f220) line 1353
MimeInlineTextPlain_parse_line(char * 0x031125b0, int 146, MimeObject *
0x03365bd8) line 453 + 64 bytes
M
Attachment #162591 - Flags: superreview?(bienvenu)
Attachment #162591 - Flags: superreview?(bienvenu) → superreview+
fixed
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird0.9
Whiteboard: [sg:dos]
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: