Bug 1411744 - Avoid uint_32 overflow that might result in a crash. r=aceman a=jorgk
authorJorg K <jorgk@jorgk.com>
Thu, 26 Oct 2017 23:50:52 +0200
changeset 29004 b5a0ec39fbcb2a015dfa24e4551c117de5cac723
parent 29003 57610e579accf11ebc24f0e2121f4d23e1d3039a
child 29005 2f70371c31db73e1028abc877d08a8883e8844c0
push id2056
push usermozilla@jorgk.com
push dateSun, 29 Oct 2017 16:14:20 +0000
treeherdercomm-beta@2f70371c31db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaceman, jorgk
bugs1411744
Bug 1411744 - Avoid uint_32 overflow that might result in a crash. r=aceman a=jorgk
mailnews/mime/src/mimedrft.cpp
--- a/mailnews/mime/src/mimedrft.cpp
+++ b/mailnews/mime/src/mimedrft.cpp
@@ -1478,28 +1478,35 @@ mime_parse_stream_complete(nsMIMESession
         else
           //We cannot use this kind of data for the message body! Therefore, move it as attachment
           bodyAsAttachment = true;
       }
       else
         composeFormat = nsIMsgCompFormat::PlainText;
 
       char *body = nullptr;
-      uint32_t bodyLen = 0;
 
       if (!bodyAsAttachment)
       {
         int64_t fileSize;
         nsCOMPtr<nsIFile> tempFileCopy;
         mdd->messageBody->m_tmpFile->Clone(getter_AddRefs(tempFileCopy));
         mdd->messageBody->m_tmpFile = do_QueryInterface(tempFileCopy);
         tempFileCopy = nullptr;
         mdd->messageBody->m_tmpFile->GetFileSize(&fileSize);
-        bodyLen = fileSize;
-        body = (char *)PR_MALLOC(bodyLen + 1);
+        uint32_t bodyLen = 0;
+
+        // The stream interface can only read up to 4GB (32bit uint).
+        // It is highly unlikely to encounter a body lager than that limit,
+        // so we just skip it instead of reading it in chunks.
+        if (fileSize < UINT32_MAX)
+        {
+          bodyLen = fileSize;
+          body = (char *)PR_MALLOC(bodyLen + 1);
+        }
         if (body)
         {
           memset(body, 0, bodyLen+1);
 
           uint32_t bytesRead;
           nsCOMPtr<nsIInputStream> inputStream;
 
           nsresult rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), mdd->messageBody->m_tmpFile);
@@ -1524,17 +1531,16 @@ mime_parse_stream_complete(nsMIMESession
             if (NS_FAILED(rv)) // Tough luck, ASCII/ISO-8859-1 then...
               CopyASCIItoUTF16(nsDependentCString(body), tmpUnicodeBody);
 
             char *newBody = ToNewUTF8String(tmpUnicodeBody);
             if (newBody)
             {
               PR_Free(body);
               body = newBody;
-              bodyLen = strlen(newBody);
             }
           }
           PR_FREEIF(mimeCharset);
         }
       }
 
       bool convertToPlainText = false;
       if (forward_inline)