If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Viewing message with greater than 19 attachments causes crash

VERIFIED FIXED in M17

Status

MailNews Core
Composition
P3
critical
VERIFIED FIXED
18 years ago
9 years ago

People

(Reporter: ddr, Assigned: rhp (gone))

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta2+])

Attachments

(2 attachments)

(Reporter)

Description

18 years ago
If I try and view a mail message that contains 20 attachments or more then a
crash (seg fault) occurs.

Originally I got this because Lotus Mail [Lotus SMTP MTA v4.6.3 (733.2
10-16-1998)] has a tendancy to take normal mail messages and turn them into a
mixture of text/plain; charset=iso-8859-1 and text/plain; charset=us-ascii
attachments. One mail message I received had been broken into 42 attachments!

It is possible to repeat the problem by attaching twenty small text files to a
mail message, sending it to yourself and then trying to view it with 'view
attachments inline' set.(I redirected the output of ls into a file and made 19
copies of the file).

Build Id: 2000041212

Netscape Mail 4.7 does not have this problem.

Comment 1

18 years ago
Did you submit a talkback report on this crash?
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
(Reporter)

Comment 2

18 years ago
My nightly build isn't creating talkbacks - I'm not sure if that is because
build id 2000041212 doesn't have them enabled, or when the browser seg faults it
doesn't get a chance to create a talkback. I can forward a sample mail message
that will cause the crash, e-mail me with an address.

Comment 3

18 years ago
Let us try it here first.  If we can't get a msg with 19 attachments or more to 
crash, we'll email you.
QA Contact: lchiang → pmock
Reassign to mscott, maybe it's a problem for rhp or jefft.
Assignee: ducarroz → mscott

Comment 5

18 years ago
Problem is reproducible on all platforms using the following builds:
 win32 commercial seamonkey build 00041909-m16
 linux commercial seamonkdy build 00041910-m16
 macos commercial seamonkey build 00041804-m16

It crashes under IMAP and POP. I notice that the app crashes even at 19 
attachments. Sometimes, I can load the message but it eventually crashes after 
closing and re-openning the mail message.

Updated

18 years ago
Keywords: beta2
OS: Linux → All
Hardware: PC → All

Updated

18 years ago
Keywords: nsbeta2

Comment 6

18 years ago
Putting on [nsbeta2+] radar.
Keywords: beta2
Whiteboard: [nsbeta2+]

Comment 7

18 years ago
fyi,
 Problem is reproducible on today 2000-04-28-09-m16 win32, linux, and mac os 
platforms. It crashes while downloading message.

Comment 8

18 years ago
Hey peter, can you send me the test message that will trigger the crash for me.
Saves me the trouble of building up a message with 19 attachments. Thanks!
Target Milestone: --- → M17

Comment 9

18 years ago
I think this belongs to rhp. We are crashing here:
NotifyEmittersOfAttachmentList(MimeDisplayOptions * 0x0337f0b0,
nsMsgAttachmentData * 0x03dee5d0) line 481 + 17 bytes
mime_display_stream_complete(_nsMIMESession * 0x0337ce80) line 775 + 16 bytes
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x0337fb40,
nsIChannel * 0x03ec1640, nsISupports * 0x00000000, unsigned int 0, const
unsigned short * 0x00000000) line 821 + 13 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03ec1900,
nsIChannel * 0x03ec1640, nsISupports * 0x00000000, unsigned int 0, const
unsigned short * 0x00000000) line 204

Inside of NotifyEmittersOfAttachmentList, we are given a valid
nsMsgAttachmentData object. However, inside that code, we assign a variable
"tmp" to it. Then we get in a loop where we are incrementing tmp using tmp++.

Eventually we get a bogus ptr to tmp.
Assignee: mscott → rhp

Comment 10

18 years ago
Created attachment 8563 [details]
Message with 19 file attachments

Comment 11

18 years ago
Created attachment 8564 [details]
Message with 18 file attachments
(Assignee)

Comment 12

18 years ago
Will investigate.

- rhp
Status: NEW → ASSIGNED
(Assignee)

Comment 13

18 years ago
Difference in sizeof()'s for structures.

- rhp
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
(Reporter)

Comment 14

18 years ago
I've just verified this fix with build id 2000051820 on Linux x86, using the
original message that identified this problem, and I'm stoked to say it
displayed correctly.

Comment 15

18 years ago
Verified as fixed on win32, macos, and linux using the following builds:

 win32 commercial seamonkey build 00052310-m16 installed on P200, Winnt 4.0 SP6
 macos commercial seamonkey build 00052308-m16 installed on G3/400, MacOS 9.04
 linux commercial seamonkey build 00052120-m16 installed on P200, RedHat 6.1
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.