Bug 1411744 - Avoid uint_32 overflow that might result in a crash. r=aceman a=jorgk
authorJorg K <jorgk@jorgk.com>
Thu, 26 Oct 2017 23:50:52 +0200
changeset 28091 90f4fd50969949021e59fc8c23dda97c972b088a
parent 28090 d194d0a89581217c08b75e0eb9a02a97a3b51322
child 28092 64782d6f760202c0be51842037f71c66ac00b3ee
push id1993
push usermozilla@jorgk.com
push dateTue, 21 Nov 2017 15:24:18 +0000
treeherdercomm-esr52@2c0a5649e5d7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaceman, jorgk
bugs1411744
Bug 1411744 - Avoid uint_32 overflow that might result in a crash. r=aceman a=jorgk
mailnews/mime/src/mimedrft.cpp
--- a/mailnews/mime/src/mimedrft.cpp
+++ b/mailnews/mime/src/mimedrft.cpp
@@ -1335,28 +1335,35 @@ mime_parse_stream_complete (nsMIMESessio
         else
           //We cannot use this kind of data for the message body! Therefore, move it as attachment
           bodyAsAttachment = true;
       }
       else
         composeFormat = nsIMsgCompFormat::PlainText;
 
       char *body = nullptr;
-      uint32_t bodyLen = 0;
 
       if (!bodyAsAttachment)
       {
         int64_t fileSize;
         nsCOMPtr<nsIFile> tempFileCopy;
         mdd->messageBody->m_tmpFile->Clone(getter_AddRefs(tempFileCopy));
         mdd->messageBody->m_tmpFile = do_QueryInterface(tempFileCopy);
         tempFileCopy = nullptr;
         mdd->messageBody->m_tmpFile->GetFileSize(&fileSize);
-        bodyLen = fileSize;
-        body = (char *)PR_MALLOC (bodyLen + 1);
+        uint32_t bodyLen = 0;
+
+        // The stream interface can only read up to 4GB (32bit uint).
+        // It is highly unlikely to encounter a body lager than that limit,
+        // so we just skip it instead of reading it in chunks.
+        if (fileSize < UINT32_MAX)
+        {
+          bodyLen = fileSize;
+          body = (char *)PR_MALLOC(bodyLen + 1);
+        }
         if (body)
         {
           memset (body, 0, bodyLen+1);
 
           uint32_t bytesRead;
           nsCOMPtr <nsIInputStream> inputStream;
 
           nsresult rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), mdd->messageBody->m_tmpFile);
@@ -1381,17 +1388,16 @@ mime_parse_stream_complete (nsMIMESessio
             if (NS_FAILED(rv)) // Tough luck, ASCII/ISO-8859-1 then...
               CopyASCIItoUTF16(nsDependentCString(body), tmpUnicodeBody);
 
             char *newBody = ToNewUTF8String(tmpUnicodeBody);
             if (newBody)
             {
               PR_Free(body);
               body = newBody;
-              bodyLen = strlen(newBody);
             }
           }
           PR_FREEIF(mimeCharset);
         }
       }
 
       bool convertToPlainText = false;
       if (forward_inline)