Closed Bug 469087 Opened 16 years ago Closed 3 years ago

Open draft message cause a crash [@ mime_decode_qp_buffer ]

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: shopik, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, steps-wanted, testcase, Whiteboard: [patchlove][need steps to reproduce])

Crash Data

Attachments

(2 files, 2 obsolete files)

draft message with wrong header
946 bytes, message/rfc822
Details
fix v3
7.56 KB, patch
jcranmer
: review-
Details | Diff | Splinter Review 
Look for attachment which is cause such crash when it lies in drafts and you try to edit it will crash TB. You may notice message is kinda wrong corrupted header, I've never touched message it lies in drafts probably 3-4 months so probably one of nigthies corrupted it before.
bp-c179c43f-5715-4cd4-a111-983fd2081211
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081210 Shredder/3.0b2pre

    
    

    
  
0  	thunderbird.exe  	mime_decode_qp_buffer  	mimeenc.cpp:193
1 	thunderbird.exe 	MimeDecoderWrite 	mimeenc.cpp:838
2 	thunderbird.exe 	mime_decompose_file_output_fn 	mimedrft.cpp:1966
3 	thunderbird.exe 	MimeMessage_parse_line 	mimemsg.cpp:230
4 	thunderbird.exe 	MimeObject_parse_eof 	mimeobj.cpp:300
5 	thunderbird.exe 	MimeContainer_parse_eof 	mimecont.cpp:129
6 	thunderbird.exe 	MimeMessage_parse_eof 	mimemsg.cpp:550
7 	thunderbird.exe 	mime_parse_stream_complete 	mimedrft.cpp:1239
8 	thunderbird.exe 	nsStreamConverter::OnStopRequest 	nsStreamConverter.cpp:1049
9 	thunderbird.exe 	nsImapCacheStreamListener::OnStopRequest 	nsImapProtocol.cpp:8071
10 	thunderbird.exe 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:576
11 	thunderbird.exe 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:401
12 	xpcom_core.dll 	nsOutputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
13 	xpcom_core.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
14 	xpcom_core.dll 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:227
15 	thunderbird.exe 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
16 	thunderbird.exe 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
17 	thunderbird.exe 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3264
18 	thunderbird.exe 	NS_internal_main 	nsMailApp.cpp:103
19 	thunderbird.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
20 	thunderbird.exe 	__tmainCRTStartup 	crtexe.c:594
21 	kernel32.dll 	kernel32.dll@0x17066
Component: Mail Window Front End → MIME
Product: Thunderbird → MailNews Core
QA Contact: front-end → mime
Summary: Open draft message cause a crash → Open draft message cause a crash [@ mime_decode_qp_buffer ]

    
    

    
  
taking - I'll try to recreate and fix this soon.
Assignee: nobody → bienvenu
Flags: blocking-thunderbird3+
Target Milestone: --- → Thunderbird 3.0b2

    
    

    
  
this doesn't crash on my build. I had to tweak it slightly to get the eml file into a mailbox format by sticking "From " at the beginning.

    
    

    
  
It doesn't crash if I just open eml file. Only when I try to open it from drafts

    
    

    
  
this still doesn't crash for me when editing as a draft, for either imap or local. So, moving to b3. Can you still reproduce this, Nikolay?
Target Milestone: Thunderbird 3.0b2 → Thunderbird 3.0b3

    
    

    
  
I can't copy it to my IMAP drafts folder, so I can't reproduce it.

    
    

    
  
it looks like it was in an imap folder before when it crashed - why can't you copy it to your imap drafts folder?

It also looks like you didn't have the message offline, from the stack - I'll see if I can get that to happen...

    
    

    
  
I'm on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090109 Shredder/3.0b2pre trying drag and drop file to drafts folder from my desktop, nothing happens.

    
    

    
  
that has never worked, afaik. To get it into an imap folder, you first need to convert the .eml file to a local mailbox by putting a "From " line at the top, put it in your profile dir under a local mail account, and then copy the message to an imap folder. That being said, I tried that and could not recreate the crash.

    
    

    
  
I see 8 of these crashes in b2, but none in b3pre - Nikolay, do you still see this crash?

    
  
Whiteboard: [need steps to reproduce]

    
    

    
  
I'm going to move this off the blocker list until we can find a way to reproduce it...
Flags: wanted-thunderbird3+
Flags: blocking-thunderbird3-
Flags: blocking-thunderbird3+

    
    

    
  
Nope I don't see it in latest nightly, but somehow I'm still getting corrupted drafts messages. This is how this message comes to my computer it's just many months old draft. Rebuilding index seems like get it in shape again.

    
    

    
  
(In reply to comment #13)
Therefore I see no reason to keep this open for now.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME

    
    

    
  
As they still appear
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
    

    
  
moving out of b3, then.
Target Milestone: Thunderbird 3.0b3 → Thunderbird 3.0b4

    
    

    
  
found 3 comment in last 4 months

When trying to display an e-mail message, i did'nt see the one i had selected but rather the prior emai i had viewed/deleted. This occured even after a restart and the deleted email deleted. 
bp-5876fd45-d041-43fb-b0f1-ffd0a2091101 3.0pre

Presssed the "Forward" button from the top bar. Just after that thunderbird went to heaven.
bp-165103b1-63a3-466e-80eb-96a7c2090708

click on the message to forward, it just crashes
bp-78fb78f8-5658-447d-b5d9-557e92090612
Keywords: crash

    
    

    
  
Nikolay, are you still unable to reproduce? Yeah, this is in top 100.

Makoto, do you see an obvious way to reproduce? 

Forward is still a common comment, but none of the commenters have left an email address from which we might get detailed steps or testcase. https://crash-stats.mozilla.com/report/list?product=Thunderbird&query_search=signature&query_type=exact&query=mime_decode_qp_buffer&date=12%2F30%2F2010%2006%3A14%3A17&range_value=4&range_unit=weeks&hang_type=any&process_type=all&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=mime_decode_qp_buffer
Keywords: testcase, 
          
            topcrash

    
    

    
  
I never seen crash in years

    
    

    
  
This bug is MimeMessage_parse_line.  decompose_file_output_fn should not use const buffer.  (

Also, I think that writing test case is difficult since we cannot call mime API directly from test harness.
Assignee: bienvenu → m_kato
Status: REOPENED → ASSIGNED

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1 (obsolete)
        — Splinter Review
      

    


  
Should I change all const char* define to char*?  If so, patch will be too large.

        Attachment #502763 -
        Flags: review?(bienvenu)

    
    

    
  
Thx for looking at this.

(In reply to comment #23)
> Created attachment 502763 [details] [diff] [review]
> fix v1
> 
> Should I change all const char* define to char*?  If so, patch will be too
> large.

Yeah, you can't do that. I think the better approach would be stop the MimeDecoderWrite functions from decoding in place, i.e.,  mime_decode_base64_buffer and mime_decode_qp_buffer should decode into data->line_buffer, which we should alloc or realloc to be at least length bytes, similar to what the decode_uue and decode_yenc functions do, e.g.,

have a helper function that does this:

  if (!data->line_buffer)
  {
    data->line_buffer_size = length; // or perhaps something like NS_MAX(length, 100)
    data->line_buffer = (char *)PR_MALLOC(data->line_buffer_size);
    if (!data->line_buffer)
      return -1;
    data->line_buffer[0] = 0;
  }
  else if (data->line_buffer_size < length)
  {
    data->line_buffer = (char *) PR_REALLOC(data->line_buffer, length);
    if (!data->line_buffer)
      return -1;
    data->line_buffer_size = length;
  }

Does that make sense?

    
    

    
  
Comment on attachment 502763 [details] [diff] [review]
fix v1

I'd prefer the approach I described earlier, so minusing this. Thx again for working on this.

        Attachment #502763 -
        Flags: review?(bienvenu) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v2 (obsolete)
        — Splinter Review
      

    


  

        Attachment #504389 -
        Flags: review?(bienvenu)

    
    

    
  
Comment on attachment 504389 [details] [diff] [review]
fix v2

sorry for the delay, and sorry I wasn't clear earlier.

I was hoping you could do the same thing for mime_decode_base64_buffer, since I believe it has the same issue. And if so, then you would want to have a helper routine to do the allocation of data->line_buffer, so the code could be shared between mime_decode_base64_buffer and mime_decode_qp_buffer. Also, you should use PR_REALLOC instead of free and alloc, because it can be cheaper in some situations.

Finally, we don't do this braces style:

+  } else if (data->line_buffer_size < length) {

the else part should be on a separate line

        Attachment #504389 -
        Flags: review?(bienvenu) → review-
Crash Signature: [@ mime_decode_qp_buffer ]

    
    

    
  
Makoto Kato, are you up for doing patch v3?
Keywords: topcrashtopcrash-

    
    

    
  
(In reply to Wayne Mery (:wsmwk) from comment #28)
> Makoto Kato, are you up for doing patch v3?

If not, we'll foist, I mean, free it up for someone else :)

most crash comments mention forwarding a message.
bp-b84730c8-e8f0-41c5-8a8e-761c62121011 is TB15.0.1 example
Flags: needinfo?(m_kato)
Keywords: steps-wanted

    
    

    
  
root cause is that const buffer isn't writable.  see comment #22
Flags: needinfo?(m_kato)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v3Splinter Review
      

    


  

        Attachment #502763 -
        Attachment is obsolete: true

        Attachment #504389 -
        Attachment is obsolete: true

        Attachment #676064 -
        Flags: review?(Pidgeot18)

    
    

    
  
Comment on attachment 676064 [details] [diff] [review]
fix v3

Review of attachment 676064 [details] [diff] [review]:
-----------------------------------------------------------------

::: mailnews/mime/src/mimeenc.cpp
@@ +41,5 @@
> +static void
> +AllocLineBuffer(MimeDecoderData *data, size_t length)
> +{
> +  if (length < 1000)
> +    length = 1000;

What's the purpose of this bit?

@@ +52,5 @@
> +      return;
> +    }
> +    data->line_buffer = (char *) PR_REALLOC(data->line_buffer, length);
> +  } else {
> +    data->line_buffer = (char *) PR_MALLOC(length);

Nit: s/PR_REALLOC/PR_Realloc/ and s/PR_MALLOC/PR_Malloc/

@@ +350,5 @@
>     it out.
>  
>     Then pull the next line into line_buffer and continue.
>     */
> +  AllocLineBuffer(data, input_length);

This isn't an equivalent change. AllocLineBuffer(data, 128) would be the equivalent change.

@@ +580,5 @@
>     it out.
>  
>     Then pull the next line into line_buffer and continue.
>     */
> +  AllocLineBuffer(data, input_length);

Same here. AllocLineBuffer(data, 1000) instead.

        Attachment #676064 -
        Flags: review?(Pidgeot18) → review-

    
    

    
  
The topcrash- keyword is not actively maintained and pollutes queries with topcrash.
Keywords: topcrash-

    
    

    
  
(In reply to Joshua Cranmer [:jcranmer] from comment #32)
> Comment on attachment 676064 [details] [diff] [review]
> fix v3
> 
> Review of attachment 676064 [details] [diff] [review]:
> -----------------------------------------------------------------
Flags: needinfo?(m_kato)

    
  
Whiteboard: [need steps to reproduce] → [patchlove][need steps to reproduce]

    
    

    
  
easy to finish the proposed patch?
Flags: needinfo?(hiikezoe)

    
    

    
  
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.

    
  
Blocks: 540270

    
    

    
  
m_kato, attachment 422879 [details] from bug 469087 also produces crash
Flags: needinfo?(hiikezoe)

    
    

    
  
root causes is comment #21 and comment #22 due to const cast.   Reproduce step depends on memory condition, so it is too difficult as unit test and step

I am not interesting this bug due to rare crash, so please feel free to take this bug.  (I think that all mime code should be re-written by JavaScript)
Assignee: m_kato → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(m_kato)

    
    

    
  
I had delayed updating this hoping by now that we'd be fully on jsmime


Still with us, at least in version 60 bp-2a185a47-db6d-4413-912b-c26400190928

0 	xul.dll	mime_decode_qp_buffer	comm/mailnews/mime/src/mimeenc.cpp:160

1 	xul.dll	MimeDecoderWrite(MimeDecoderData*, char const*, int, int*)	comm/mailnews/mime/src/mimeenc.cpp:834

2 	xul.dll	mime_decompose_file_output_fn(char const*, int, void*)	comm/mailnews/mime/src/mimedrft.cpp:2135

3 	xul.dll	MimeMessage_parse_line	comm/mailnews/mime/src/mimemsg.cpp:200

4 	xul.dll	MimeObject_parse_eof	comm/mailnews/mime/src/mimeobj.cpp:270

5 	xul.dll	MimeContainer_parse_eof	comm/mailnews/mime/src/mimecont.cpp:97

6 	xul.dll	MimeMessage_parse_eof	comm/mailnews/mime/src/mimemsg.cpp:565

7 	xul.dll	mime_parse_stream_complete	comm/mailnews/mime/src/mimedrft.cpp:1287



    
    

    
  
No version 68 crashes, they end after 60.9.1.


Status: NEW → RESOLVED
Closed: 15 years ago3 years ago
Resolution: --- → INCOMPLETE

    
  
Blocks: 1876127

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: