Closed Bug 59203 Opened 24 years ago Closed 24 years ago

Viewing attached message crashes rtm candidate [@ nsCRT::strtok]

Categories

(MailNews Core :: MIME, defect, P3)

Product:
MailNews Core
Component:
MIME
Platform:
x86
Windows 98
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: trudelle, Assigned: rhp)

References

Details

(Keywords: crash, topcrash, Whiteboard: [rtm++][FIX IN HAND])

Crash Data

Attachments

(4 files)

view source text of the message
3.20 KB, text/plain
Details
fix for crasher
1.45 KB, patch
Details | Diff | Splinter Review
An updated fix
1.18 KB, patch
Details | Diff | Splinter Review
New patch, no need for "+1", it's wrong and unnecessary
1.18 KB, patch
Details | Diff | Splinter Review 
Using 11/4 branch candidate:

Launch mail.
View attached message 
result: crash
expected result: message loads, as in NS 4.7, and opens two web pages.

    
    

    
  
nominating for rtm, cc selmer
Keywords: rtm

    
    

    
  
*** Bug 59188 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 59230 has been marked as a duplicate of this bug. ***

    
  
Status: NEW → ASSIGNED
Target Milestone: --- → M19

    
    

    
  
Ok, attached is a patch that will do more safety checking.

- rhp
Whiteboard: [FIX IN HAND]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix for crasherSplinter Review
      

    


  

    
    

    
  
[rtm need info] please get reviews and move to rtm+ ASAP.
Whiteboard: [FIX IN HAND] → [rtm need info][FIX IN HAND]

    
    

    
  
I am not sure that the patch is correct although it fixs the crash. cp1 is an
address from workLine. However offset is calculated from (cp1 - line). This
seems wrong. Shouldn't it be (cp1 - workLine)?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        An updated fixSplinter Review
      

    


  

    
    

    
  
Adding reviewers ...

    
    

    
  
Side note: the source message seems like a security exploit. It seems try to
execute some javascript and encoded with quoted-printable encoding.

    
    

    
  
Adding crash keywords and [@ nsCRT::strtok] for tracking and cc'ing myself.
Keywords: crash, 
          
            topcrash
Summary: Viewing attached message crashes rtm candidate → Viewing attached message crashes rtm candidate [@ nsCRT::strtok]

    
    

    
  
r=scottip.  mscott could you sr this?

    
    

    
  
pdt: marking rtm++ , please check in ASAP into the branch after you get a 
positive super review.
Whiteboard: [rtm need info][FIX IN HAND] → [rtm++][FIX IN HAND]

    
    

    
  
I'd like rhp to review this too before we check this in.

    
    

    
  
Jeff's patch looks fine. Perhaps the +1 was the problem, but I was getting some 
pretty bad results out of the:

char *cp = PL_strncasestr(cp1, "=", (length - (int)(cp1-workLine)));

line.

This looks good too. r:rhp

    
    

    
  
sr=mscott after reading rich's comments. Thanks guys!

    
    

    
  
with the patch, I don't crash (w/o it, I do crash) but I can't display the body
of the message either. Is that a known problem? Should I not have used 6.0 to
save the test message?

    
    

    
  
There is no body message in the original message. There is empty between <body>
</body>. This is the side note I was talking about. It seems trying to exploit
the security hole.

    
    

    
  
Fix checked in to both trunk and branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
David, were you using mozilla to view the message? It works fine for me in the
release build and I think it's because we turn of js in mail by default in
mozilla builds but not in NS builds.

    
    

    
  
I was using a debug mozilla build - I'll try it with a debug netscape build.

    
    

    
  
I'm able to read that msg without crash using today evening commercial release
builds on all platforms!!

    
    

    
  
yes, the release build I just downloaded works (though the message loads twice,
it's probably because of the js).


    
    

    
  
The mail message attached to this bug does not crash anymore with the latest
builds on Win98, mac and Linux.  Branch 2000-11-06-16 on Win & Linux and
2000-11-06-15 on Mac.  Note:  when I bring this message up on Windows and Linux
I get one display with text that flashes on for only a second, then the 2nd
display which has images and background and text asking if you want to be a
millionaire.  But on Mac, I get a 3rd window, an advertisment  with the header
"One of our Sponsors...Netscape 6"  with Yahoo ads.  Not sure why just the Mac
displays this 3rd window.  Verified for the Crash.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Crash Signature: [@ nsCRT::strtok]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: