Bug 1659919 - try to fix crash [@ mime_LineBuffer ]. r=benc DONTBUILD
authorMagnus Melin <mkmelin+mozilla@iki.fi>
Tue, 25 Aug 2020 13:59:10 +0300
changeset 30449 f23742b724d6fc287b3af7d5f29b7515654c3908
parent 30448 230adf5285d387581540964d1de5059d467b7aab
child 30450 5f28a64eac96c8988db11e4e9660d5514c4f4b31
push id17885
push usermkmelin@iki.fi
push dateTue, 25 Aug 2020 10:59:52 +0000
treeherdercomm-central@f23742b724d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbenc
bugs1659919
Bug 1659919 - try to fix crash [@ mime_LineBuffer ]. r=benc DONTBUILD Looks like illegal access of (*bufferP)[*buffer_fpP - 1]
mailnews/mime/src/mimebuf.cpp
--- a/mailnews/mime/src/mimebuf.cpp
+++ b/mailnews/mime/src/mimebuf.cpp
@@ -133,22 +133,21 @@ static int convert_and_send_buffer(
 }
 
 extern "C" int mime_LineBuffer(
     const char* net_buffer, int32_t net_buffer_size, char** bufferP,
     int32_t* buffer_sizeP, uint32_t* buffer_fpP, bool convert_newlines_p,
     int32_t (*per_line_fn)(char* line, uint32_t line_length, void* closure),
     void* closure) {
   int status = 0;
-  if (*buffer_fpP > 0 && *bufferP && (*bufferP)[*buffer_fpP - 1] == '\r' &&
-      net_buffer_size > 0 && net_buffer[0] != '\n') {
+  if (*buffer_fpP > 0 && *bufferP && (*buffer_fpP < (uint32_t)*buffer_sizeP) &&
+      (*bufferP)[*buffer_fpP - 1] == '\r' && net_buffer_size > 0 &&
+      net_buffer[0] != '\n') {
     /* The last buffer ended with a CR.  The new buffer does not start
        with a LF.  This old buffer should be shipped out and discarded. */
-    NS_ASSERTION((uint32_t)*buffer_sizeP > *buffer_fpP,
-                 "1.1 <rhp@netscape.com> 19 Mar 1999 12:00");
     if ((uint32_t)*buffer_sizeP <= *buffer_fpP) return -1;
     status = convert_and_send_buffer(*bufferP, *buffer_fpP, convert_newlines_p,
                                      per_line_fn, closure);
     if (status < 0) return status;
     *buffer_fpP = 0;
   }
   while (net_buffer_size > 0) {
     const char* net_buffer_end = net_buffer + net_buffer_size;