Closed Bug 362735 Opened 18 years ago Closed 17 years ago

2 problems in MimeRichtextConvert

Categories

(MailNews Core :: MIME, defect)

x86
Linux
defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: guninski, Assigned: Bienvenu)

Details

(Keywords: fixed1.8.0.10, fixed1.8.1.1, Whiteboard: [sg:critical])

Attachments

(3 files, 1 obsolete file)

2 problems in MimeRichtextConvert 

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/mime/src/mimetric.cpp&rev=1.16
106 seawood  1.13   // The code below must never expand the input by more than 5x;

107 mstoltz  1.12   // if it does, the desired_size multiplier (5) below must be changed too
108                 [1] desired_size = (length * 5) + 1;

109 rhp      1.1    [2] if (desired_size >= *obuffer_sizeP)
110               	status = mime_GrowBuffer (desired_size, sizeof(char), 1024,
111               							 obufferP, obuffer_sizeP);

so 2 problems:

A) |desired_size| may be negative even on 32 bit systems at the cost of 
1.8G VM (~ 425M length).
the check at [2] is useless in this case.

B) on 64 bit systems [1] may overflow at the cost of about 3.6G VM 
(~ 850M length). this may work in theory on 32 bit systems, but could reproduce it only on a 64 bit system.

stack from the negative case:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223984304 (LWP 4848)]
0xb739ec33 in strcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0xb739ec33 in strcpy () from /lib/i686/libc.so.6
#1  0xb7cc8311 in PL_strcpy (
    dest=0x8bd7ffd "&am" <Address 0x8bd8000 out of bounds>, 
    src=0xb4c0faa8 "&amp;")
    at /opt/joro/thunderbird20/mozilla/nsprpub/lib/libc/src/strcpy.c:46
#2  0xb4b885c8 in MimeRichtextConvert (
    line=0x70417008 '&' <repeats 200 times>..., length=445644801, 
    output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, 
    obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1)
    at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167
#3  0xb4b89036 in MimeInlineTextRichtext_parse_line (
    line=0x70417008 '&' <repeats 200 times>..., length=445644801, 
(gdb) frame 2
#2  0xb4b885c8 in MimeRichtextConvert (
    line=0x70417008 '&' <repeats 200 times>..., length=445644801, 
    output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, 
    obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1)
    at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167
167                       PL_strcpy (out, "&amp;"); out += strlen (out);
(gdb) x/4c out
0x8bd7ffd:      38 '&'  97 'a'  109 'm' Cannot access memory at address 0x8bd8000
(gdb) x/4c out-20
0x8bd7fe9:      38 '&'  97 'a'  109 'm' 112 '
Whiteboard: [sg:critical]
Attached patch proposed patch (obsolete) — Splinter Review
proposed patch. |new| still throws, but this is another bug.
Comment on attachment 247683 [details] [diff] [review]
proposed patch

seems like it might be clearer to write something like:

0xfffffffe / BGROWTH

and it looks like there's a tab before the return -1.

r=bienvenu, with those nits. thx for the patch!
Attachment #247683 - Flags: superreview?(mscott)
Attachment #247683 - Flags: review+
Comment on attachment 247683 [details] [diff] [review]
proposed patch

including David's suggestions...
Attachment #247683 - Flags: superreview?(mscott) → superreview+
proposed patch, addresses comments
Attachment #247683 - Attachment is obsolete: true
imho this blocks both branches and with favorable heap layout is exploitable on 32 bit os - classic under allocation without exhausting the process memory space.

don't have cvs access so can't check in this.
bz, this seems to be blocking both branches.
So request blocking.  ;)  ccing me on mailnews innards bugs is not really useful, though -- I rarely plan to do anything about them.
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
fixed on trunk and 1.8.1 branch - thx, G30rgi
Assignee: dveditz → guninski
Flags: blocking1.8.1.2?
Keywords: fixed1.8.1.1
(In reply to comment #9)
> So request blocking.  ;)  ccing me on mailnews innards bugs is not really
> useful, though -- I rarely plan to do anything about them.
> 

ok, you are not gonna be spammed about mailnews anymore :)

i meant someone empowered to request blocking.
FIXED on trunk, blocking flags track the branch
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.0.10? → blocking1.8.0.10+
Resolution: --- → FIXED
Component: Security → MailNews: MIME
Flags: review+
Product: Thunderbird → Core
Version: 2.0 → Trunk
Comment on attachment 247793 [details] [diff] [review]
proposed patch, addresses comments

requesting approval for 1.8.0.10 since this is listed as a blocker. It's on the trunk and the 1.8.1 branch baking for a while.
Attachment #247793 - Flags: approval1.8.0.10?
Comment on attachment 247793 [details] [diff] [review]
proposed patch, addresses comments

Approved for 1.8.0 branch, a=jay for drivers.
Attachment #247793 - Flags: approval1.8.0.10? → approval1.8.0.10+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: guninski → bienvenu
Status: REOPENED → NEW
Status: NEW → RESOLVED
Closed: 18 years ago17 years ago
Resolution: --- → FIXED
fixed on 1.8.0.x branch
Keywords: fixed1.8.0.10
Group: security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.