Closed Bug 557782 Opened 14 years ago Closed 13 years ago

Crash when I open a mail with a large ics calendar attachment sent from Apple Mail [@ strlen | icalvalue_attach_as_ical_string_r ] (windows), [@ strlen | libcalbasecomps.dylib@0x13ae8] (Mac)

Categories

(Calendar :: General, defect)

Product:
Calendar
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: antoni.mylka, Assigned: dbo)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash, Whiteboard: [gs])

Crash Data

Attachments

(2 files)

The offending .eml file.
235.72 KB, message/rfc822
Details
ics sample file with large ATTACH property that causes crash
199.41 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4

I received an email from a colleague who uses Apple Mail. I've posted that email here:

http://fivo.cyf-kr.edu.pl/maven/antonimavenrepo/mail-eml-ical-withimageattachment.eml

It seems to exceed the maximum size for comments in this form, so I couldn't paste it directly to the issue. Please feel free to download it from that url and attach it to the bugzilla issue.

When I received it, it arrived in my inbox. I clicked on the subject line and the thunderbird crashed. Later I restarted thunderbird, did not click anything, and thunderbird crashed by itself after 10 seconds. Only after I manually removed the email from the mbox file - did the crashes stop.

I suspect there may be a bug in the message parser which is invoked when trying to view the email (first crash) and when the indexer tries to index the email to search it later (the subsequent crashes).


Reproducible: Always

Steps to Reproduce:
1. Download the email from http://fivo.cyf-kr.edu.pl/maven/antonimavenrepo/mail-eml-ical-withimageattachment.eml
2. Open it with thunderbird (it crashes)


Actual Results:  
Thunderbird crashes

Expected Results:  
It shouldn't crash

Add-ons: en-GB@dictionaries.addons.mozilla.org:1.19,de-DE@dictionaries.addons.mozilla.org:2.0.1,{e2fda1a4-762b-4020-b5ad-a41df1933103}:1.0b1,tbsortfolders@xulforum.org:0.4.4,{ad7d8a66-253b-11dc-977c-000c29a3126e}:0.8.13.3,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.4
BuildID: 20100317103207
CrashTime: 1270642442
InstallTime: 1269985394
ProductName: Thunderbird
SecondsSinceLastCrash: 867
StartupTime: 1270642280
Theme: classic/1.0
Throttleable: 1
URL: 
Vendor: 
Version: 3.0.4

Zgłoszenie to zawiera ponadto informacje na temat stanu programu w momencie wystąpienia awarii.
Attached file The offending .eml file. — 
I attached the offending email. Didn't know that I can add attachments only after the issue is created.
Keywords: crash
Summary: Crash when I open a mail with a alrge ics attachment sent from Apple Mail → Crash when I open a mail with a large ics calendar attachment sent from Apple Mail
I don't crash while opening the email with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.2pre) Gecko/20100406 Lanikai/3.1b2pre.

Can you give us a crash id (see http://kb.mozillazine.org/Breakpad for how to find them) ?
The latest one:

bp-c963ec29-8b05-44f0-b32c-0a11a2100407
Frame  	Module  	Signature [Expand]  	Source
0 	calbscmp.dll 	strlen 	strlen.asm:81
1 	calbscmp.dll 	icalvalue_attach_as_ical_string_r 	calendar/libical/src/libical/icalvalue.c:929
2 	calbscmp.dll 	icalvalue_as_ical_string_r 	calendar/libical/src/libical/icalvalue.c:1112
3 	calbscmp.dll 	icalproperty_get_value_as_string_r 	calendar/libical/src/libical/icalproperty.c:951
4 	calbscmp.dll 	icalproperty_get_value_as_string 	calendar/libical/src/libical/icalproperty.c:937
5 	calbscmp.dll 	calIcalProperty::GetValue 	calendar/base/src/calICSService.cpp:106
6 	xpcom_core.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
7 	thunderbird.exe 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2456
8 	thunderbird.exe 	XPC_WN_GetterSetter 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1622
9 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1386
10 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1447
11 	js3250.dll 	js_InternalGetOrSet 	js/src/jsinterp.cpp:1510
12 	js3250.dll 	js_GetSprop 	js/src/jsscope.h:367
13 	js3250.dll 	js_NativeGet 	js/src/jsobj.cpp:4167
14 	js3250.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:4333
15 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4451
16 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1394
17 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1447
18 	js3250.dll 	js_InternalGetOrSet 	js/src/jsinterp.cpp:1510
19 	js3250.dll 	js_SetSprop 	js/src/jsscope.h:390
20 	js3250.dll 	js_SetPropertyHelper 	js/src/jsobj.cpp:4512
21 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4789
22 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1394
23 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1447
24 	js3250.dll 	js_InternalGetOrSet 	js/src/jsinterp.cpp:1510
25 	js3250.dll 	js_SetSprop 	js/src/jsscope.h:390
26 	js3250.dll 	js_SetPropertyHelper 	js/src/jsobj.cpp:4512
27 	js3250.dll 	js_SetProperty 	js/src/jsobj.cpp:4605
28 	js3250.dll 	JS_SetProperty 	js/src/jsapi.cpp:3584
29 	thunderbird.exe 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1740
30 	thunderbird.exe 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:569
31 	xpcom_core.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
32 	xpcom_core.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
33 	xpcom_core.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Thunderbird → Calendar
QA Contact: general → general
Summary: Crash when I open a mail with a large ics calendar attachment sent from Apple Mail → Crash when I open a mail with a large ics calendar attachment sent from Apple Mail [@ strlen | icalvalue_attach_as_ical_string_r ]
Confirmed using Lightning 1.0b2pre (BuildID: 20100407035214) with Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.4pre) Gecko/20100407 Lanikai/3.1b2pre

Confirmed using Lightning 1.1a1pre (BuildID: 20100406035552) with Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a4pre) Gecko/20100407 Shredder/3.2a1pre

Workaround: Disable menu option View -> Display Attachments Inline. If it is disabled Lightning can't process event invitations and you'll see the raw ics file that is attached.
Flags: blocking-calendar1.0?
Keywords: testcase
I updated thunderbird to 3.1.2 today. It keeps crashing, about 20 s after start. I'm posting this comment because all the crash reports point that this bug is related. It makes version 3.1.2 completely unusable for me.

I posted 6 crash reports, they are all the same and all reference this bug in "Related Bugs". An example:

bp-ba5211ed-4ae4-4bcc-a8aa-17b0c2100826

I'm not doing anything, I just start the application, wait about 10 seconds and it crashes. I'm not even trying to view any emails with ics attachments. Just the folder list, the inbox email list and the welcome page are shown. The crash comes so fast, that I can't even disable lightning in the "Addons" window.

Maybe it's a bug in the newest Lightning?

Will try to downgrade back to 3.0.
Now that we have symbols, its quite clear that this segment is causing the problem: http://mxr.mozilla.org/comm-central/source/calendar/libical/src/libical/icalvalue.c#929

Its unclear however if data being null is crashing it, or if strlen can't handle the long data. This is clearly an issue that needs to be fixed in libical. I'm creating a debug build to look into this.
And another issue that doesn't occur on Linux. I doubt I'll have time to set up a windows box with a debug build soon
#105 crash for version 3.1.2 (overall)
and #5 crash for Macs
similar stack bp-c33d8a9f-bb29-40e5-8a26-8bf9d2100822 
[@ strlen | libcalbasecomps.dylib@0x13ae8 ] 


#20 crash for version 3.1.2 
strlen | icalvalue_attach_as_ical_string_r
Keywords: topcrash
Summary: Crash when I open a mail with a large ics calendar attachment sent from Apple Mail [@ strlen | icalvalue_attach_as_ical_string_r ] → Crash when I open a mail with a large ics calendar attachment sent from Apple Mail [@ strlen | icalvalue_attach_as_ical_string_r ] (windows), [@ strlen | libcalbasecomps.dylib@0x13ae8] (Mac)
>50% of these are startup crashes
(In reply to comment #7)
> I'm not doing anything, I just start the application, wait about 10 seconds and
> it crashes. I'm not even trying to view any emails with ics attachments. Just
> the folder list, the inbox email list and the welcome page are shown. The crash
> comes so fast, that I can't even disable lightning in the "Addons" window.

same problem here.... :-(((
I can only disable lightning from the TB safe mode.
the method of comment 5 doesn't work for me anymore....
interestingly, bp-1cafa1db-a7d3-4579-846b-556fc2110111 (adam) reports he does *not* crash on TB 3.0.4, but does crash with v3.1.7
0	calbscmp.dll	strlen	strlen.asm:81
1	calbscmp.dll	icalvalue_attach_as_ical_string_r	calendar/libical/src/libical/icalvalue.c:929
2	calbscmp.dll	icalvalue_as_ical_string_r	calendar/libical/src/libical/icalvalue.c:1112
3	calbscmp.dll	icalproperty_get_value_as_string_r	calendar/libical/src/libical/icalproperty.c:951
4	calbscmp.dll	icalproperty_get_value_as_string	calendar/libical/src/libical/icalproperty.c:937
5	calbscmp.dll	calIcalProperty::GetValue	calendar/base/src/calICSService.cpp:106
icalattach_get_data returned null
Assignee: nobody → dbo.moz
Blocks: 394902
This might be fixed by bug 637064, libical 0.46 contains some fixes to attachment data, they were missing a strdup.
Depends on: 637064
Crash Signature: [@ strlen | icalvalue_attach_as_ical_string_r ] [@ strlen | libcalbasecomps.dylib@0x13ae8]
(In reply to comment #16)
> This might be fixed by bug 637064, libical 0.46 contains some fixes to
> attachment data, they were missing a strdup.

above bug is fixed. and there are no TB 5.0 crash reports for strlen | icalvalue_attach_as_ical_string_r
Crash Signature: [@ strlen | icalvalue_attach_as_ical_string_r ] [@ strlen | libcalbasecomps.dylib@0x13ae8] → [@ strlen | icalvalue_attach_as_ical_string_r ] [@ strlen | libcalbasecomps.dylib@0x13ae8]
Marking fixed by bug 637064. If this crash shows up again please reopen.
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: blocking-calendar1.0?
Resolution: --- → FIXED
Target Milestone: --- → 1.0b4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: