bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Bug 362213 – heap overflow in MimeExternalBody_parse_eof still may cause troube

RESOLVED INVALID

Status

Thunderbird
Security
RESOLVED INVALID
10 years ago
10 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Bug 362213 Comment #9

>David Bienvenu   2006-12-04 07:37:03 PDT

>all the strings get concatenated together, so we have to add all the strlens...

>you're right that 100 is too small - it needs to be ~76 (the total length of
>the header strings) + (4 * 12) (the per header overhead times the number of
>possible headers). That would handle the case where all the headers are
>present...So 150 would be a safe number...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/mime/src/mimeebod.cpp&rev=1.31&mark=333#333


333                                          (url ? strlen(url) : 0) + 100);

as per the quoted comment the constant 100 seems wrong, probably leading to overflow...
(Reporter)

Updated

10 years ago
Whiteboard: [sg: critical?]
ooops, this paranoia was unjustified.


see Bug 362213 Comment #12

=> invalid according to real debugging
Whiteboard: [sg: critical?]
(Reporter)

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
(Assignee)

Updated

10 years ago
Group: security
You need to log in before you can comment on or make changes to this bug.