Closed
Bug 624419
Opened 14 years ago
Closed 13 years ago
Potential off-by-one error in MimeHeaders_build_heads_list()
Categories
(MailNews Core :: MIME, defect)
MailNews Core
MIME
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 3.3a3
People
(Reporter: Parasyte, Unassigned)
References
Details
Attachments
(1 file, 1 obsolete file)
2.78 KB,
patch
|
Bienvenu
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b9pre) Gecko/20110105 Firefox-4.0/4.0b9pre Build Identifier: This is a follow-up to Bug 574961, where a similar bug is being fixed for a top crasher in MimeHeaders_get() The code can, in rare cases, read a byte that is outside of allocated memory. See attached patch. Reproducible: Always
Reporter | ||
Comment 1•14 years ago
|
||
Attachment #502532 -
Flags: review?(bienvenu)
Comment 2•14 years ago
|
||
Comment on attachment 502532 [details] [diff] [review] Proposed patch This doesn't look right, since we're checking against end-1, not just end: - for (s = hdrs->all_headers; s <= end-1; s++) + for (s = hdrs->all_headers; s < end-1; s++) { - if (s <= (end-1) && s[0] == '\r' && s[1] == '\n') /* CRLF -> LF */ + if (s < (end-1) && s[0] == '\r' && s[1] == '\n') /* CRLF -> LF */ let me know if I'm missing something...
Attachment #502532 -
Flags: review?(bienvenu) → review-
Reporter | ||
Comment 3•14 years ago
|
||
(In reply to comment #2) > Comment on attachment 502532 [details] [diff] [review] > Proposed patch > > This doesn't look right, since we're checking against end-1, not just end: > - for (s = hdrs->all_headers; s <= end-1; s++) > + for (s = hdrs->all_headers; s < end-1; s++) > { > - if (s <= (end-1) && s[0] == '\r' && s[1] == '\n') /* CRLF -> LF */ > + if (s < (end-1) && s[0] == '\r' && s[1] == '\n') /* CRLF -> LF */ > > let me know if I'm missing something... You are correct, the condition in the for loop should be s <= end-1, which would allow the if statement at line 262 to pick up a line break in the last character within the buffer. The quoted if-statement is correct, though.
Reporter | ||
Comment 4•14 years ago
|
||
Or, rather, s < end. Logically the same, but a little more clear.
Attachment #502532 -
Attachment is obsolete: true
Attachment #502887 -
Flags: review?(bienvenu)
Comment 5•13 years ago
|
||
Comment on attachment 502887 [details] [diff] [review] Attempt v2 thx, this looks OK - this code gets a pretty thorough workout from our existing tests, and it's hard to write a test that crashes when reading one byte past the end of a buffer, so I don't think we need additional tests. I'll land this, along with a bit of nearby formatting cleanup.
Attachment #502887 -
Flags: review?(bienvenu) → review+
Comment 6•13 years ago
|
||
fix checked in - http://hg.mozilla.org/comm-central/rev/be18bde0f11c, thx for the patch, Jason.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 3.3a3
You need to log in
before you can comment on or make changes to this bug.
Description
•