Closed Bug 362735 Opened 18 years ago Closed 18 years ago

2 problems in MimeRichtextConvert

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: Bienvenu)

Details

(Keywords: fixed1.8.0.10, fixed1.8.1.1, Whiteboard: [sg:critical])

Attachments

(3 files, 1 obsolete file)

perl to generate mail folder on 64 bit systems
434 bytes, text/plain
Details
perl to generate mail folder causing negative size on 32 bit system
453 bytes, text/plain
Details
proposed patch, addresses comments
1.25 KB, patch
jay
: approval1.8.0.10+
Details | Diff | Splinter Review
2 problems in MimeRichtextConvert http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/mime/src/mimetric.cpp&rev=1.16 106 seawood 1.13 // The code below must never expand the input by more than 5x; 107 mstoltz 1.12 // if it does, the desired_size multiplier (5) below must be changed too 108 [1] desired_size = (length * 5) + 1; 109 rhp 1.1 [2] if (desired_size >= *obuffer_sizeP) 110 status = mime_GrowBuffer (desired_size, sizeof(char), 1024, 111 obufferP, obuffer_sizeP); so 2 problems: A) |desired_size| may be negative even on 32 bit systems at the cost of 1.8G VM (~ 425M length). the check at [2] is useless in this case. B) on 64 bit systems [1] may overflow at the cost of about 3.6G VM (~ 850M length). this may work in theory on 32 bit systems, but could reproduce it only on a 64 bit system. stack from the negative case: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1223984304 (LWP 4848)] 0xb739ec33 in strcpy () from /lib/i686/libc.so.6 (gdb) bt #0 0xb739ec33 in strcpy () from /lib/i686/libc.so.6 #1 0xb7cc8311 in PL_strcpy ( dest=0x8bd7ffd "&am" <Address 0x8bd8000 out of bounds>, src=0xb4c0faa8 "&amp;") at /opt/joro/thunderbird20/mozilla/nsprpub/lib/libc/src/strcpy.c:46 #2 0xb4b885c8 in MimeRichtextConvert ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1) at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167 #3 0xb4b89036 in MimeInlineTextRichtext_parse_line ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, (gdb) frame 2 #2 0xb4b885c8 in MimeRichtextConvert ( line=0x70417008 '&' <repeats 200 times>..., length=445644801, output_fn=0xb4b8ad74 <mime_output_fn>, closure=0x8b98020, obufferP=0x8a76e04, obuffer_sizeP=0x8a76e0c, enriched_p=1) at /opt/joro/thunderbird20/mozilla/mailnews/mime/src/mimetric.cpp:167 167 PL_strcpy (out, "&amp;"); out += strlen (out); (gdb) x/4c out 0x8bd7ffd: 38 '&' 97 'a' 109 'm' Cannot access memory at address 0x8bd8000 (gdb) x/4c out-20 0x8bd7fe9: 38 '&' 97 'a' 109 'm' 112 '
Whiteboard: [sg:critical]
Attached patch proposed patch (obsolete) — Splinter Review
proposed patch. |new| still throws, but this is another bug.
Comment on attachment 247683 [details] [diff] [review] proposed patch seems like it might be clearer to write something like: 0xfffffffe / BGROWTH and it looks like there's a tab before the return -1. r=bienvenu, with those nits. thx for the patch!
Attachment #247683 - Flags: superreview?(mscott)
Attachment #247683 - Flags: review+
Comment on attachment 247683 [details] [diff] [review] proposed patch including David's suggestions...
Attachment #247683 - Flags: superreview?(mscott) → superreview+
proposed patch, addresses comments
Attachment #247683 - Attachment is obsolete: true
imho this blocks both branches and with favorable heap layout is exploitable on 32 bit os - classic under allocation without exhausting the process memory space. don't have cvs access so can't check in this.
bz, this seems to be blocking both branches.
So request blocking. ;) ccing me on mailnews innards bugs is not really useful, though -- I rarely plan to do anything about them.
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
fixed on trunk and 1.8.1 branch - thx, G30rgi
Assignee: dveditz → guninski
Flags: blocking1.8.1.2?
Keywords: fixed1.8.1.1
(In reply to comment #9) > So request blocking. ;) ccing me on mailnews innards bugs is not really > useful, though -- I rarely plan to do anything about them. > ok, you are not gonna be spammed about mailnews anymore :) i meant someone empowered to request blocking.
FIXED on trunk, blocking flags track the branch
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.0.10? → blocking1.8.0.10+
Resolution: --- → FIXED
Component: Security → MailNews: MIME
Flags: review+
Product: Thunderbird → Core
Version: 2.0 → Trunk
Comment on attachment 247793 [details] [diff] [review] proposed patch, addresses comments requesting approval for 1.8.0.10 since this is listed as a blocker. It's on the trunk and the 1.8.1 branch baking for a while.
Attachment #247793 - Flags: approval1.8.0.10?
Comment on attachment 247793 [details] [diff] [review] proposed patch, addresses comments Approved for 1.8.0 branch, a=jay for drivers.
Attachment #247793 - Flags: approval1.8.0.10? → approval1.8.0.10+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: guninski → bienvenu
Status: REOPENED → NEW
Status: NEW → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
fixed on 1.8.0.x branch
Keywords: fixed1.8.0.10
Group: security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: