Closed
Bug 445117
Opened 16 years ago
Closed 16 years ago
integer overflow in MsgEscapeHTML
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 3.0b1
People
(Reporter: guninski, Assigned: bugmil.ebirol)
References
Details
(Whiteboard: [sg:critical?] )
Attachments
(2 files, 1 obsolete file)
361 bytes,
text/plain
|
Details | |
3.18 KB,
patch
|
dveditz
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
mozilla/mailnews/base/util/nsMsgUtils.cpp NS_MSG_BASE char *MsgEscapeHTML(const char *string) { /* XXX Hardcoded max entity len. The +1 is for the trailing null. */ char *rv = (char *) nsMemory::Alloc(strlen(string) * 6 + 1); |* 6| overflows at about 683M on 32 bit platform. easily hit at least from mimeebod.cpp. similar bug, same file, NS_MSG_BASE PRUnichar *MsgEscapeHTML(const PRUnichar *aSourceBuffer, PRInt32 aSourceBufferLen) /* XXX Hardcoded max entity len. */ PRUnichar *resultBuffer = (PRUnichar *)nsMemory::Alloc(aSourceBufferLen * 6 * sizeof(PRUnichar) + sizeof(PRUnichar('\0'))); to reproduce send message with content-type external body and body about 683M of '<'. peak memory usage is about 2G with debug build. testcase to follow. #6 0x09236d8b in MsgEscapeHTML (string=0x38c5c409 '<' <repeats 200 times>...) at /opt/joro/thunderbird-cvs/mozilla/mailnews/base/util/nsMsgUtils.cpp:1689 #7 0x08ff60df in MimeExternalBody_parse_eof (obj=0xa3d94a8, abort_p=0) at /opt/joro/thunderbird-cvs/mozilla/mailnews/mime/src/mimeebod.cpp:422 #8 0x08fd01a2 in MimeContainer_parse_eof (object=0x9bb4e38, abort_p=0) at /opt/joro/thunderbird-cvs/mozilla/mailnews/mime/src/mimecont.cpp:140 #9 0x08fdc0ee in MimeMessage_parse_eof (obj=0x9bb4e38, abort_p=0) at /opt/joro/thunderbird-cvs/mozilla/mailnews/mime/src/mimemsg.cpp:550 #10 0x08fef12a in mime_display_stream_complete (stream=0xa3ab898) at /opt/joro/thunderbird-cvs/mozilla/mailnews/mime/src/mimemoz2.cpp:962 #11 0x08fc53d6 in nsStreamConverter::OnStopRequest (this=0xa3ccce0, request=0xa38be2c, ctxt=0xa3abeb0, status=0) at /opt/joro/thunderbird-cvs/mozilla/mailnews/mime/src/nsStreamConverter.cpp:1027 #12 0x08bd5928 in nsDocumentOpenInfo::OnStopRequest (this=0xa415290, (gdb) frame 6 #6 0x09236d8b in MsgEscapeHTML (string=0x38c5c409 '<' <repeats 200 times>...) at /opt/joro/thunderbird-cvs/mozilla/mailnews/base/util/nsMsgUtils.cpp:1689 1689 *ptr++ = ';';
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Reporter | ||
Comment 2•16 years ago
|
||
note: 1. the perl script produces 683MB file 2. after the crash foldername.msf must be deleted to reproduce the crash again
Updated•16 years ago
|
Product: Core → MailNews Core
Updated•16 years ago
|
Component: Security → MailNews: Security
Product: Thunderbird → Core
QA Contact: thunderbird → security
Updated•16 years ago
|
Summary: integer overlfow in MsgEscapeHTML → integer overflow in MsgEscapeHTML
Updated•16 years ago
|
Flags: blocking-thunderbird3?
Comment 3•16 years ago
|
||
Reassigning to dmose to find an appropriate TBird dev This does not appear to affect Thunderbird 2.0 Filed bug 455987 on a similar issue that does affect the 1.8 and 1.9 branches.
Assignee: nobody → dmose
Flags: wanted1.8.1.x-
Version: unspecified → Trunk
Comment 4•16 years ago
|
||
putting in b1
Flags: blocking-thunderbird3? → blocking-thunderbird3+
Target Milestone: --- → Thunderbird 3.0b1
Comment 5•16 years ago
|
||
Emre, you've helped out on the MIME front before, can you have a look at this?
Assignee: dmose → bugmil.ebirol
Comment 6•16 years ago
|
||
We're fixing bug 455987 on Firefox branches so you'll definitely want this fixed before you ship Tbird 3. The changes made in nsEscape should work here as well.
Updated•16 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] [needs patch]
Assignee | ||
Comment 7•16 years ago
|
||
Changes have been applied to nsMsgUtils.cpp
Attachment #347590 -
Flags: superreview?(dveditz)
Attachment #347590 -
Flags: review?(dveditz)
Updated•16 years ago
|
Attachment #347590 -
Flags: superreview?(dveditz)
Attachment #347590 -
Flags: review?(dveditz)
Attachment #347590 -
Flags: review-
Comment 8•16 years ago
|
||
Comment on attachment 347590 [details] [diff] [review] Proposed patch >+ if (aSourceBufferLen >= >+ ((PR_UINT32_MAX / (6 * sizeof(PRUnichar))) + sizeof(PRUnichar))) >+ return nsnull; >+ > PRUnichar *resultBuffer = (PRUnichar *)nsMemory::Alloc(aSourceBufferLen * > 6 * sizeof(PRUnichar) + sizeof(PRUnichar('\0'))); This is embarrassing because it's essentially my patch from bug 455987, but r- because I should've subtracted the size of the terminator, not added it :-( This should be if (aSourceBufferLen >= ((PR_UINT32_MAX - sizeof(PRUnichar))/(6 * sizeof(PRUnichar))) ) return nsnull;
Comment 9•16 years ago
|
||
Filed bug 464998 to fix nsEscape.cpp
Comment 10•16 years ago
|
||
Emre, can you put up a new patch for review here so we can get this fixed and off the beta1 blocker list? thx!
Assignee | ||
Comment 11•16 years ago
|
||
I share the half of the embarrassment :-)
Attachment #347590 -
Attachment is obsolete: true
Attachment #348629 -
Flags: superreview?(dveditz)
Attachment #348629 -
Flags: review?(dveditz)
Updated•16 years ago
|
Whiteboard: [sg:critical?] [needs patch] → [sg:critical?] [needs review dveditz]
Comment 12•16 years ago
|
||
Comment on attachment 348629 [details] [diff] [review] Sign is fixed. r/sr=dveditz
Attachment #348629 -
Flags: superreview?(dveditz)
Attachment #348629 -
Flags: superreview+
Attachment #348629 -
Flags: review?(dveditz)
Attachment #348629 -
Flags: review+
Comment 13•16 years ago
|
||
I'll land this, since it's a private bug and at least some of the folks that troll for checkin-needed won't see it.
Whiteboard: [sg:critical?] [needs review dveditz] → [sg:critical?]
Comment 14•16 years ago
|
||
fix checked in (I tweaked the formatting which somehow got messed up a bit...)
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•