Closed
Bug 688889
Opened 13 years ago
Closed 11 years ago
Investigate stack buffer overflow in UpdateEmail
Categories
(Toolkit :: Crash Reporting, defect)
Toolkit
Crash Reporting
Tracking
()
RESOLVED
DUPLICATE
of bug 688877
People
(Reporter: bsterne, Unassigned)
Details
(Keywords: sec-low, Whiteboard: [sg:low] local)
Fabian Yamaguchi of Recurity Labs on behalf of BSI (German Federal Office for Information Security) reported the following to security@mozilla.org: Function: UpdateEmail Component: The bug is contained in the Crash Reporter Implementation for Windows, in function UpdateEmail in particular. Summary: The function UpdateEmail reads textual data from a dialog item into a local buffer using the Win32 API function GetDlgItemText. This function expects the number of widecharacters that the destination buffer can hold as its last argument. In UpdateEmail, this third parameter has mistakenly been chosen to contain the number of bytes the buffer consists of, which is twice as much as the number of widecharacters it can hold. Therefore, it may be possible to trigger a stackbased buffer overflow. Actual Results: A local stackbuffer can potentially be overflowed. Expected Results: The buffer cannot be overflowed. Additional Information: static void UpdateEmail(HWND hwndDlg) { if (IsDlgButtonChecked(hwndDlg, IDC_EMAILMECHECK)) { wchar_t email[MAX_EMAIL_LENGTH]; GetDlgItemText(hwndDlg, IDC_EMAILTEXT, email, sizeof(email)); gQueryParameters[L"Email"] = email; if (IsDlgButtonChecked(hwndDlg, IDC_SUBMITREPORTCHECK)) EnableWindow(GetDlgItem(hwndDlg, IDC_EMAILTEXT), true); } else { gQueryParameters.erase(L"Email"); EnableWindow(GetDlgItem(hwndDlg, IDC_EMAILTEXT), false); } }
Comment 1•13 years ago
|
||
Valid bug but doesn't seem that the user is likely to hack themself by typing in a really really long email address.
Whiteboard: [sg:low] local
Updated•11 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•