When doing forward inline of a message with another message attached in it, the memory get corrupted which lead to random crash. This problem is very easy to reproduce under MacOS X after you have applied the patch for bug 156958. Step to reproduce the problem: 1) Send a message to yourself (I personnaly encrypt & sign it but I don't know if it's matter) 2) Get the message and forward it as attachment 3 [details] [diff] [review]) Get the forwarded message and forward it inline ==> You might crash at any time now, if not, repeat step 3 couple times...

The crash occurs in the MacMemory Allocator code while freeing memory, but the stack trace is not always the same. This is cause by a memory corruption which destroy the information (especially the size) of a block which is just in front of the memory block itself. Either the Mac Memory Allocator code crash right away when the corrupted block is freed (in Block_Link) or the Mac Memory Allocator will owerwrite another section of the memory which could cause catastrophic result. So far I have seen the crash only on Mac but the initial memory corruption exist on all platform. Here is the offending code that cause the initial memory corruption: mimedrft.cpp, line 1836 PL_strcat(newAttachment->real_name, ".eml"); The problem is that newAttachment->real_name pointer is the size of the string it hold. Therefore when PL_strcat appends ".eml" to it, the next block in memory get overwritten. This potential crash exist since June 15, 2001 (this is caused by fix for bug 75449)

PR_smprintf will take care or allocating the needed memory

Comment on attachment 91965 [details] [diff] [review] Proposed fix, v1 r=varada

Comment on attachment 91965 [details] [diff] [review] Proposed fix, v1 sr=bienvenu

Nice catch. Just goes to show that strcat and friends are evil.

Comment on attachment 91965 [details] [diff] [review] Proposed fix, v1 a=scc for checkin to the mozilla trunk

adt1.0.1 (on ADT's behalf) approval for checkin to the 1.0 branch, pending drivers' approval. pls check this in asap, then replace "mozilla1.0.1+" with "fixed1.0.1". thanks!

Fix checked in the trunk.

a=chofmann for the branch

marking as "mozilla1.0.1+" per Comment #9 From chris hofmann.

Fix checked in the branch

marking as fixed1.0.1 per Comment #11 From Jean-Francois Ducarroz.

Verified this bug using 20020723 branch build on MacOSX (platform reported on) as well as Mac9.1 and Win2K. To verify this test, I repeated reporter's step 3 ten times, and no crash. Performed as expected.

Marking as VERIFIED