Closed
Bug 59203
Opened 24 years ago
Closed 24 years ago
Viewing attached message crashes rtm candidate [@ nsCRT::strtok]
Categories
(MailNews Core :: MIME, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: trudelle, Assigned: rhp)
References
Details
(Keywords: crash, topcrash, Whiteboard: [rtm++][FIX IN HAND])
Crash Data
Attachments
(4 files)
3.20 KB,
text/plain
|
Details | |
1.45 KB,
patch
|
Details | Diff | Splinter Review | |
1.18 KB,
patch
|
Details | Diff | Splinter Review | |
1.18 KB,
patch
|
Details | Diff | Splinter Review |
Using 11/4 branch candidate: Launch mail. View attached message result: crash expected result: message loads, as in NS 4.7, and opens two web pages.
Reporter | ||
Comment 1•24 years ago
|
||
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → M19
Assignee | ||
Comment 5•24 years ago
|
||
Ok, attached is a patch that will do more safety checking. - rhp
Whiteboard: [FIX IN HAND]
Assignee | ||
Comment 6•24 years ago
|
||
Comment 7•24 years ago
|
||
[rtm need info] please get reviews and move to rtm+ ASAP.
Whiteboard: [FIX IN HAND] → [rtm need info][FIX IN HAND]
I am not sure that the patch is correct although it fixs the crash. cp1 is an address from workLine. However offset is calculated from (cp1 - line). This seems wrong. Shouldn't it be (cp1 - workLine)?
Comment 10•24 years ago
|
||
Adding reviewers ...
Comment 11•24 years ago
|
||
Comment 12•24 years ago
|
||
Side note: the source message seems like a security exploit. It seems try to execute some javascript and encoded with quoted-printable encoding.
Comment 13•24 years ago
|
||
Adding crash keywords and [@ nsCRT::strtok] for tracking and cc'ing myself.
Comment 14•24 years ago
|
||
r=scottip. mscott could you sr this?
Comment 15•24 years ago
|
||
pdt: marking rtm++ , please check in ASAP into the branch after you get a positive super review.
Whiteboard: [rtm need info][FIX IN HAND] → [rtm++][FIX IN HAND]
Comment 16•24 years ago
|
||
I'd like rhp to review this too before we check this in.
Assignee | ||
Comment 17•24 years ago
|
||
Jeff's patch looks fine. Perhaps the +1 was the problem, but I was getting some pretty bad results out of the: char *cp = PL_strncasestr(cp1, "=", (length - (int)(cp1-workLine))); line. This looks good too. r:rhp
Comment 18•24 years ago
|
||
sr=mscott after reading rich's comments. Thanks guys!
Comment 19•24 years ago
|
||
with the patch, I don't crash (w/o it, I do crash) but I can't display the body of the message either. Is that a known problem? Should I not have used 6.0 to save the test message?
Comment 20•24 years ago
|
||
There is no body message in the original message. There is empty between <body> </body>. This is the side note I was talking about. It seems trying to exploit the security hole.
Comment 21•24 years ago
|
||
Fix checked in to both trunk and branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 22•24 years ago
|
||
David, were you using mozilla to view the message? It works fine for me in the release build and I think it's because we turn of js in mail by default in mozilla builds but not in NS builds.
Comment 23•24 years ago
|
||
I was using a debug mozilla build - I'll try it with a debug netscape build.
Comment 24•24 years ago
|
||
I'm able to read that msg without crash using today evening commercial release builds on all platforms!!
Comment 25•24 years ago
|
||
yes, the release build I just downloaded works (though the message loads twice, it's probably because of the js).
Comment 26•24 years ago
|
||
The mail message attached to this bug does not crash anymore with the latest builds on Win98, mac and Linux. Branch 2000-11-06-16 on Win & Linux and 2000-11-06-15 on Mac. Note: when I bring this message up on Windows and Linux I get one display with text that flashes on for only a second, then the 2nd display which has images and background and text asking if you want to be a millionaire. But on Mac, I get a 3rd window, an advertisment with the header "One of our Sponsors...Netscape 6" with Yahoo ads. Not sure why just the Mac displays this 3rd window. Verified for the Crash.
Status: RESOLVED → VERIFIED
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
Updated•13 years ago
|
Crash Signature: [@ nsCRT::strtok]
You need to log in
before you can comment on or make changes to this bug.
Description
•