Bug 1052327 - Fix crash caused by buffer overrun. r=irving,a=Standard8
authorHiroyuki Ikezoe <hiikezoe@mozilla-japan.org>
Tue, 26 Aug 2014 19:24:34 +0100
changeset 20299 b49ed7b29adf671e2311885864fd220aaf7165a4
parent 20298 24b4cf6e8762b79aaa2171ccfe3cb7a19b6f3e9e
child 20300 8119bbfaa8f3c8172d7f733919d0748ec57d9039
push id1204
push usermbanner@mozilla.com
push dateWed, 27 Aug 2014 18:32:57 +0000
treeherdercomm-beta@90e071abfd6e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersirving, Standard8
bugs1052327
Bug 1052327 - Fix crash caused by buffer overrun. r=irving,a=Standard8
mailnews/local/src/nsParseMailbox.cpp
--- a/mailnews/local/src/nsParseMailbox.cpp
+++ b/mailnews/local/src/nsParseMailbox.cpp
@@ -927,17 +927,17 @@ nsresult nsParseMailMessageState::ParseH
 {
   char *buf = m_headers.GetBuffer();
   uint32_t buf_length = m_headers.GetBufferPos();
   char *buf_end = buf + buf_length;
   MOZ_ASSERT(buf_length > 1 && (buf[buf_length - 1] == '\r' ||
     buf[buf_length - 1] == '\n'), "Header text should always end in a newline");
   while (buf < buf_end)
   {
-    char *colon = PL_strnchr(buf, ':', buf_length);
+    char *colon = PL_strnchr(buf, ':', buf_end - buf);
     char *end;
     char *value = 0;
     struct message_header *header = 0;
     struct message_header receivedBy;
 
     if (! colon)
       break;