Closed Bug 432469 Opened 17 years ago Closed 17 years ago

Remaining buffer overflow issues mailnews/mime/src/comi18n.cpp

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 430193

People

(Reporter: MatsPalmgren_bugz, Unassigned)

Details

(Whiteboard: [sg:dupe 430193])

I looked throught the patch in bug 413874 and it seems to me that buffer overflow is still possible even when using PL_strncpyz(). An example: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/mailnews/mime/src/comi18n.cpp&rev=1.133&root=/cvsroot&mark=349,352-353#348 'obufsize' is declared as PRInt32. The buffer size parameter of PL_strncpyz() is declared PRUint32. Suppose the buffer is near full such that PL_strncpyz() cannot write the full length of 'encodedword_head'. We still do "obufsize -= encodedword_headlen" causing 'obufsize' to become negative. The next PL_strncpyz() to 'o' will be a buffer overflow. Briefly looking through the patch, I think all the places that updates the remaining buffer length needs to use strlen() to find out how much was actually copied. Also, I looked at the code for PL_strncpyz(): http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/nsprpub/lib/libc/src/strcpy.c&rev=3.8&root=/cvsroot&mark=74-75#69 Silently accepting NULL src/dest hides programming errors. I'd like a fatal assert there in debug builds.
Whiteboard: [sg:critical?]
Can we consolidate this bug with Bug 430193?
Sure, bug 413874 didn't mention any followup bug so assumed there wasn't one...
No longer blocks: 413874
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?] → [sg:dupe 430193]
Product: Core → MailNews Core
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.