Bug 1668926 - fix Out-of-bounds write - morkWriter::StartGroup(). r=mkmelin

CID 1459776 Out-of-bounds write This could cause an immediate crash or incorrect computations. In morkWriter::StartGroup(morkEnv *): Out-of-bounds write to a buffer Differential Revision: https://phabricator.services.mozilla.com/D123543
2021-08-24 23:41:14 +00:00 · 2021-08-24 23:41:14 +00:00 · 2d388c5cc2
--- a/mailnews/db/mork/morkEnv.cpp
+++ b/mailnews/db/mork/morkEnv.cpp
@ -236,9 +236,11 @@ mork_u1 morkEnv::HexToByte(mork_ch inFirstHex, mork_ch inSecondHex) {
  return (mork_u1)((hi << 4) | lo);
 }

-mork_size morkEnv::TokenAsHex(void* outBuf, mork_token inToken)
 // TokenAsHex() is the same as sprintf(outBuf, "%lX", (long) inToken);
-{
+// Writes up to 32 hex digits, plus a NUL-terminator. So outBuf must
+// be at least 33 bytes.
+// Return value is number of characters written, excluding the NUL.
+mork_size morkEnv::TokenAsHex(void* outBuf, mork_token inToken) {
  static const char morkEnv_kHexDigits[] = "0123456789ABCDEF";
  char* p = (char*)outBuf;
  char* end = p + 32;  // write no more than 32 digits for safety
--- a/mailnews/db/mork/morkWriter.cpp
+++ b/mailnews/db/mork/morkWriter.cpp
@ -708,15 +708,16 @@ mork_bool morkWriter::StartGroup(morkEnv* ev) {
  mWriter_GroupBufFill = 0;
  // ev->TokenAsHex(mWriter_GroupBuf, groupID);
  if (idFill < morkWriter_kGroupBufSize) {
+    // TokenAsHex appends a '\0', but it's not included in idFill count.
    MORK_MEMCPY(mWriter_GroupBuf, p, idFill + 1);
    mWriter_GroupBufFill = idFill;
-  } else
-    *mWriter_GroupBuf = 0;
+  } else {
+    *mWriter_GroupBuf = '\0';
+  }

  p += idFill;
  *p++ = '{';
  *p++ = '@';
-  *p = 0;

  stream->PutLineBreak(ev);