Closed Bug 429630 Opened 16 years ago Closed 16 years ago

Bug 362213 – heap overflow in MimeExternalBody_parse_eof still may cause troube

Categories

(Thunderbird :: Security, defect)

x86
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: guninski, Assigned: dveditz)

Details

Bug 362213 Comment #9

>David Bienvenu   2006-12-04 07:37:03 PDT

>all the strings get concatenated together, so we have to add all the strlens...

>you're right that 100 is too small - it needs to be ~76 (the total length of
>the header strings) + (4 * 12) (the per header overhead times the number of
>possible headers). That would handle the case where all the headers are
>present...So 150 would be a safe number...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/mime/src/mimeebod.cpp&rev=1.31&mark=333#333


333                                          (url ? strlen(url) : 0) + 100);

as per the quoted comment the constant 100 seems wrong, probably leading to overflow...
Whiteboard: [sg: critical?]
ooops, this paranoia was unjustified.


see Bug 362213 Comment #12

=> invalid according to real debugging
Whiteboard: [sg: critical?]
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.