aboutsummaryrefslogtreecommitdiffstats
path: root/mail/thunderbird3/files
diff options
context:
space:
mode:
authormarcus <marcus@FreeBSD.org>2004-09-28 11:26:29 +0800
committermarcus <marcus@FreeBSD.org>2004-09-28 11:26:29 +0800
commitf62d10f067cfffa25220c7c4014ab978b195e35c (patch)
tree5f731f4833b6f16a7f181ffd591419b78dd6e7de /mail/thunderbird3/files
parent96a3409ec6eed567bae672212be23c3bf33098a3 (diff)
downloadfreebsd-ports-graphics-f62d10f067cfffa25220c7c4014ab978b195e35c.tar.gz
freebsd-ports-graphics-f62d10f067cfffa25220c7c4014ab978b195e35c.tar.zst
freebsd-ports-graphics-f62d10f067cfffa25220c7c4014ab978b195e35c.zip
Patch the various recently reported security vulnerabilities in Mozilla.
This is being done instead of the update to 0.8 since we're in a ports freeze, and too many big changes is not a good idea. This update covers the following Mozilla bugs: 245066 226669 250862 255067 256316 257317 258005 Thanks to nectar for scraping all of these patches together. Obtained from: Mozilla CVS Approved by: portmgr (implicit)
Diffstat (limited to 'mail/thunderbird3/files')
-rw-r--r--mail/thunderbird3/files/patch-245066,226669228
-rw-r--r--mail/thunderbird3/files/patch-25086222
-rw-r--r--mail/thunderbird3/files/patch-25506760
-rw-r--r--mail/thunderbird3/files/patch-25631618
-rw-r--r--mail/thunderbird3/files/patch-25731431
-rw-r--r--mail/thunderbird3/files/patch-258005278
6 files changed, 637 insertions, 0 deletions
diff --git a/mail/thunderbird3/files/patch-245066,226669 b/mail/thunderbird3/files/patch-245066,226669
new file mode 100644
index 00000000000..00254916f22
--- /dev/null
+++ b/mail/thunderbird3/files/patch-245066,226669
@@ -0,0 +1,228 @@
+Index: mozilla/mailnews/local/src/nsPop3Protocol.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/local/src/nsPop3Protocol.cpp,v
+retrieving revision 1.214.2.1
+retrieving revision 1.214.2.1.2.1
+diff -u -r1.214.2.1 -r1.214.2.1.2.1
+--- mailnews/local/src/nsPop3Protocol.cpp 27 May 2004 14:54:03 -0000 1.214.2.1
++++ mailnews/local/src/nsPop3Protocol.cpp 27 Aug 2004 13:15:42 -0000 1.214.2.1.2.1
+@@ -61,7 +61,6 @@
+ #include "nsISignatureVerifier.h"
+
+ #define EXTRA_SAFETY_SPACE 3096
+-#define kLargeNumberOfMessages 50000
+
+ static PRLogModuleInfo *POP3LOGMODULE = nsnull;
+
+@@ -1791,11 +1790,11 @@
+
+
+ m_pop3ConData->msg_info = (Pop3MsgInfo *)
+- PR_CALLOC(sizeof(Pop3MsgInfo) *
+- (m_pop3ConData->number_of_messages < kLargeNumberOfMessages ? m_pop3ConData->number_of_messages : kLargeNumberOfMessages));
++ PR_CALLOC(sizeof(Pop3MsgInfo) * m_pop3ConData->number_of_messages);
+ if (!m_pop3ConData->msg_info)
+ return(MK_OUT_OF_MEMORY);
+ m_pop3ConData->next_state_after_response = POP3_GET_LIST;
++ m_listpos = 0;
+ return SendData(m_url, "LIST"CRLF);
+ }
+
+@@ -1837,6 +1836,9 @@
+ */
+ if(!PL_strcmp(line, "."))
+ {
++ // limit the list if fewer entries than given in STAT response
++ if(m_listpos < m_pop3ConData->number_of_messages)
++ m_pop3ConData->number_of_messages = m_listpos;
+ m_pop3ConData->next_state = POP3_SEND_UIDL_LIST;
+ m_pop3ConData->pause_for_read = PR_FALSE;
+ PR_Free(line);
+@@ -1848,24 +1850,15 @@
+ if (token)
+ {
+ msg_num = atol(token);
++ m_listpos++;
+
+- if(msg_num <= m_pop3ConData->number_of_messages && msg_num > 0)
++ if(m_listpos <= m_pop3ConData->number_of_messages && m_listpos > 0)
+ {
+ token = nsCRT::strtok(newStr, " ", &newStr);
+ if (token)
+- m_pop3ConData->msg_info[msg_num-1].size = atol(token);
+-
+- if (msg_num >= kLargeNumberOfMessages && msg_num < m_pop3ConData->number_of_messages)
+ {
+- m_pop3ConData->msg_info = (Pop3MsgInfo *) //allocate space for next entry
+- PR_REALLOC(m_pop3ConData->msg_info, sizeof(Pop3MsgInfo) * (msg_num + 1));
+- if (!m_pop3ConData->msg_info)
+- {
+- m_pop3ConData->number_of_messages = msg_num; //so that we don't try to free not allocated entries!
+- return(MK_OUT_OF_MEMORY);
+- }
+- m_pop3ConData->msg_info[msg_num].size = 0; //initialize
+- m_pop3ConData->msg_info[msg_num].uidl = nsnull;
++ m_pop3ConData->msg_info[m_listpos-1].size = atol(token);
++ m_pop3ConData->msg_info[m_listpos-1].msgnum = msg_num;
+ }
+ }
+ }
+@@ -2101,6 +2094,7 @@
+ {
+ m_pop3ConData->next_state_after_response = POP3_GET_XTND_XLST_MSGID;
+ m_pop3ConData->pause_for_read = PR_TRUE;
++ m_listpos = 0;
+ return SendData(m_url, "XTND XLST Message-Id" CRLF);
+ }
+ else
+@@ -2166,6 +2160,9 @@
+ */
+ if(!PL_strcmp(line, "."))
+ {
++ // limit the list if fewer entries than given in STAT response
++ if(m_listpos < m_pop3ConData->number_of_messages)
++ m_pop3ConData->number_of_messages = m_listpos;
+ m_pop3ConData->next_state = POP3_GET_MSG;
+ m_pop3ConData->pause_for_read = PR_FALSE;
+ PR_Free(line);
+@@ -2177,7 +2174,9 @@
+ if (token)
+ {
+ msg_num = atol(token);
+- if(msg_num <= m_pop3ConData->number_of_messages && msg_num > 0)
++ m_listpos++;
++
++ if(m_listpos <= m_pop3ConData->number_of_messages && m_listpos > 0)
+ {
+ /* char *eatMessageIdToken = nsCRT::strtok(newStr, " ", &newStr); */
+ char *uidl = nsCRT::strtok(newStr, " ", &newStr);/* not really a uidl but a unique token -km */
+@@ -2189,8 +2188,17 @@
+ there, I have no idea; must be a server bug. Or something. */
+ uidl = "";
+
+- m_pop3ConData->msg_info[msg_num-1].uidl = PL_strdup(uidl);
+- if (!m_pop3ConData->msg_info[msg_num-1].uidl)
++ // seeking right entry, but try the one that should it be first
++ PRInt32 i;
++ if(m_pop3ConData->msg_info[m_listpos - 1].msgnum == msg_num)
++ i = m_listpos - 1;
++ else
++ for(i = 0; m_pop3ConData->msg_info[i].msgnum != msg_num &&
++ i <= m_pop3ConData->number_of_messages; i++)
++ ;
++
++ m_pop3ConData->msg_info[i].uidl = PL_strdup(uidl);
++ if (!m_pop3ConData->msg_info[i].uidl)
+ {
+ PR_Free(line);
+ return MK_OUT_OF_MEMORY;
+@@ -2209,6 +2217,7 @@
+ {
+ m_pop3ConData->next_state_after_response = POP3_GET_UIDL_LIST;
+ m_pop3ConData->pause_for_read = PR_TRUE;
++ m_listpos = 0;
+ return SendData(m_url,"UIDL" CRLF);
+ }
+ else
+@@ -2264,6 +2273,9 @@
+ */
+ if(!PL_strcmp(line, "."))
+ {
++ // limit the list if fewer entries than given in STAT response
++ if(m_listpos < m_pop3ConData->number_of_messages)
++ m_pop3ConData->number_of_messages = m_listpos;
+ m_pop3ConData->next_state = POP3_GET_MSG;
+ m_pop3ConData->pause_for_read = PR_FALSE;
+ PR_Free(line);
+@@ -2275,7 +2287,9 @@
+ if (token)
+ {
+ msg_num = atol(token);
+- if(msg_num <= m_pop3ConData->number_of_messages && msg_num > 0)
++ m_listpos++;
++
++ if(m_listpos <= m_pop3ConData->number_of_messages && m_listpos > 0)
+ {
+ char *uidl = nsCRT::strtok(newStr, " ", &newStr);
+
+@@ -2286,8 +2300,17 @@
+ there, I have no idea; must be a server bug. Or something. */
+ uidl = "";
+
+- m_pop3ConData->msg_info[msg_num-1].uidl = PL_strdup(uidl);
+- if (!m_pop3ConData->msg_info[msg_num-1].uidl)
++ // seeking right entry, but try the one that should it be first
++ PRInt32 i;
++ if(m_pop3ConData->msg_info[m_listpos - 1].msgnum == msg_num)
++ i = m_listpos - 1;
++ else
++ for(i = 0; m_pop3ConData->msg_info[i].msgnum != msg_num &&
++ i <= m_pop3ConData->number_of_messages; i++)
++ ;
++
++ m_pop3ConData->msg_info[i].uidl = PL_strdup(uidl);
++ if (!m_pop3ConData->msg_info[i].uidl)
+ {
+ PR_Free(line);
+ return MK_OUT_OF_MEMORY;
+@@ -2603,7 +2626,7 @@
+ PRInt32 nsPop3Protocol::SendTop()
+ {
+ char * cmd = PR_smprintf( "TOP %ld 20" CRLF,
+- m_pop3ConData->last_accessed_msg+1);
++ m_pop3ConData->msg_info[m_pop3ConData->last_accessed_msg].msgnum);
+ PRInt32 status = -1;
+ if (cmd)
+ {
+@@ -2624,7 +2647,7 @@
+ */
+ PRInt32 nsPop3Protocol::SendXsender()
+ {
+- char * cmd = PR_smprintf("XSENDER %ld" CRLF, m_pop3ConData->last_accessed_msg+1);
++ char * cmd = PR_smprintf("XSENDER %ld" CRLF, m_pop3ConData->msg_info[m_pop3ConData->last_accessed_msg].msgnum);
+ PRInt32 status = -1;
+ if (cmd)
+ {
+@@ -2662,7 +2685,7 @@
+ nsPop3Protocol::SendRetr()
+ {
+
+- char * cmd = PR_smprintf("RETR %ld" CRLF, m_pop3ConData->last_accessed_msg+1);
++ char * cmd = PR_smprintf("RETR %ld" CRLF, m_pop3ConData->msg_info[m_pop3ConData->last_accessed_msg].msgnum);
+ PRInt32 status = -1;
+ if (cmd)
+ {
+@@ -3071,8 +3094,8 @@
+ {
+ /* increment the last accessed message since we have now read it
+ */
++ char * cmd = PR_smprintf("DELE %ld" CRLF, m_pop3ConData->msg_info[m_pop3ConData->last_accessed_msg].msgnum);
+ m_pop3ConData->last_accessed_msg++;
+- char * cmd = PR_smprintf("DELE %ld" CRLF, m_pop3ConData->last_accessed_msg);
+ PRInt32 status = -1;
+ if (cmd)
+ {
+Index: mozilla/mailnews/local/src/nsPop3Protocol.h
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/local/src/nsPop3Protocol.h,v
+retrieving revision 1.63
+retrieving revision 1.63.10.1
+diff -u -r1.63 -r1.63.10.1
+--- mailnews/local/src/nsPop3Protocol.h 8 Mar 2004 19:50:30 -0000 1.63
++++ mailnews/local/src/nsPop3Protocol.h 27 Aug 2004 13:15:42 -0000 1.63.10.1
+@@ -191,6 +191,7 @@
+ } Pop3UidlHost;
+
+ typedef struct Pop3MsgInfo {
++ PRInt32 msgnum;
+ PRInt32 size;
+ char* uidl;
+ } Pop3MsgInfo;
+@@ -350,6 +351,7 @@
+ void BackupAuthFlags();
+ void RestoreAuthFlags();
+ PRInt32 m_origAuthFlags;
++ PRInt32 m_listpos;
+
+ //////////////////////////////////////////////////////////////////////////////////////////
+ // Begin Pop3 protocol state handlers
diff --git a/mail/thunderbird3/files/patch-250862 b/mail/thunderbird3/files/patch-250862
new file mode 100644
index 00000000000..05423dc8419
--- /dev/null
+++ b/mail/thunderbird3/files/patch-250862
@@ -0,0 +1,22 @@
+Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js
+===================================================================
+RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v
+retrieving revision 1.32
+retrieving revision 1.32.88.1
+diff -u -r1.32 -r1.32.88.1
+--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32
++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1
+@@ -53,8 +53,11 @@
+ {
+ var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType);
+
+- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out
+- if (!url || !url.length || url.indexOf(" ", 0) != -1)
++ // valid urls don't contain spaces ' '; if we have a space it
++ // isn't a valid url, or if it's a javascript: or data: url,
++ // bail out
++ if (!url || !url.length || url.indexOf(" ", 0) != -1 ||
++ /^\s*(javascript|data):/.test(url))
+ return;
+
+ switch (document.firstChild.getAttribute('windowtype')) {
diff --git a/mail/thunderbird3/files/patch-255067 b/mail/thunderbird3/files/patch-255067
new file mode 100644
index 00000000000..cddf17ca832
--- /dev/null
+++ b/mail/thunderbird3/files/patch-255067
@@ -0,0 +1,60 @@
+Index: mozilla/gfx/src/shared/gfxImageFrame.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v
+retrieving revision 1.26
+retrieving revision 1.26.12.1
+diff -u -r1.26 -r1.26.12.1
+--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26
++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1
+@@ -72,6 +72,13 @@
+ return NS_ERROR_FAILURE;
+ }
+
++ /* reject over-wide or over-tall images */
++ const PRInt32 k64KLimit = 0x0000FFFF;
++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){
++ NS_ERROR("image too big");
++ return NS_ERROR_FAILURE;
++ }
++
+ nsresult rv;
+
+ mOffset.MoveTo(aX, aY);
+Index: mozilla/gfx/src/windows/nsImageWin.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v
+retrieving revision 3.130.2.1
+retrieving revision 3.130.2.1.6.1
+diff -u -r3.130.2.1 -r3.130.2.1.6.1
+--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1
++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1
+@@ -131,6 +131,10 @@
+ return NS_ERROR_UNEXPECTED;
+ }
+
++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor)
++ const PRInt32 k64KLimit = 0x0000FFFF;
++ if (aWidth > k64KLimit || aHeight > k64KLimit)
++ return NS_ERROR_FAILURE;
+
+ if (mNumPaletteColors >= 0){
+ // If we have a palette
+Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v
+retrieving revision 1.24.2.1
+retrieving revision 1.24.2.1.6.1
+diff -u -r1.24.2.1 -r1.24.2.1.6.1
+--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1
++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1
+@@ -274,7 +274,9 @@
+ CalcBitShift();
+ }
+ // BMPs with negative width are invalid
+- if (mBIH.width < 0)
++ // Reject extremely wide images to keep the math sane
++ const PRInt32 k64KWidth = 0x0000FFFF;
++ if (mBIH.width < 0 || mBIH.width > k64KWidth)
+ return NS_ERROR_FAILURE;
+
+ PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height;
diff --git a/mail/thunderbird3/files/patch-256316 b/mail/thunderbird3/files/patch-256316
new file mode 100644
index 00000000000..147d15e5303
--- /dev/null
+++ b/mail/thunderbird3/files/patch-256316
@@ -0,0 +1,18 @@
+Index: mozilla/netwerk/dns/src/nsIDNService.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v
+retrieving revision 1.18
+retrieving revision 1.18.10.1
+diff -u -r1.18 -r1.18.10.1
+--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18
++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1
+@@ -242,6 +242,9 @@
+
+ NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output)
+ {
++ // protect against bogus input
++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED);
++
+ nsAutoString outUTF16;
+ nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16);
+ if (NS_SUCCEEDED(rv))
diff --git a/mail/thunderbird3/files/patch-257314 b/mail/thunderbird3/files/patch-257314
new file mode 100644
index 00000000000..8bcc707b9dd
--- /dev/null
+++ b/mail/thunderbird3/files/patch-257314
@@ -0,0 +1,31 @@
+Index: nsVCardObj.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/addrbook/src/nsVCardObj.cpp,v
+retrieving revision 1.2
+retrieving revision 1.2.24.1
+diff -u -r1.2 -r1.2.24.1
+--- mailnews/addrbook/src/nsVCardObj.cpp 14 Sep 2003 21:45:58 -0000 1.2
++++ mailnews/addrbook/src/nsVCardObj.cpp 31 Aug 2004 07:44:25 -0000 1.2.24.1
+@@ -1344,16 +1344,13 @@
+
+ static void writeGroup(OFile *fp, VObject *o)
+ {
+- char buf1[256];
+- char buf2[256];
+- PL_strcpy(buf1,NAME_OF(o));
+- while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
+- PL_strcpy(buf2,STRINGZ_VALUE_OF(o));
+- PL_strcat(buf2,".");
+- PL_strcat(buf2,buf1);
+- PL_strcpy(buf1,buf2);
++ nsCAutoString buf(NAME_OF(o));
++
++ while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
++ buf.Insert(NS_LITERAL_CSTRING("."), 0);
++ buf.Insert(STRINGZ_VALUE_OF(o), 0);
+ }
+- appendsOFile(fp,buf1);
++ appendsOFile(fp, buf.get());
+ }
+
+ static int inList(const char **list, const char *s)
diff --git a/mail/thunderbird3/files/patch-258005 b/mail/thunderbird3/files/patch-258005
new file mode 100644
index 00000000000..fc20d4b596c
--- /dev/null
+++ b/mail/thunderbird3/files/patch-258005
@@ -0,0 +1,278 @@
+Index: nsMsgCompUtils.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/compose/src/nsMsgCompUtils.cpp,v
+retrieving revision 1.161
+retrieving revision 1.161.10.1
+diff -u -r1.161 -r1.161.10.1
+--- mailnews/compose/src/nsMsgCompUtils.cpp 12 Mar 2004 07:23:38 -0000 1.161
++++ mailnews/compose/src/nsMsgCompUtils.cpp 8 Sep 2004 19:27:53 -0000 1.161.10.1
+@@ -821,16 +821,7 @@
+ nsresult rv;
+ nsCOMPtr<nsIPref> prefs(do_GetService(kPrefCID, &rv));
+
+- PRInt32 buffer_size = 2048 + (real_name ? 2*PL_strlen(real_name) : 0) + (base_url ? 2*PL_strlen(base_url) : 0) +
+- (type_param ? PL_strlen(type_param) : 0) + (encoding ? PL_strlen(encoding) : 0) +
+- (description ? PL_strlen(description) : 0) + (x_mac_type ? PL_strlen(x_mac_type) : 0) +
+- (x_mac_creator ? PL_strlen(x_mac_creator) : 0) + (attachmentCharset ? PL_strlen(attachmentCharset) : 0) +
+- (bodyCharset ? PL_strlen(bodyCharset) : 0) + (content_id ? PL_strlen(content_id) : 0);
+- char *buffer = (char *) PR_Malloc (buffer_size);
+- char *buffer_tail = buffer;
+-
+- if (! buffer)
+- return 0; /* NS_ERROR_OUT_OF_MEMORY */
++ nsCString buf("");
+
+ NS_ASSERTION (encoding, "null encoding");
+
+@@ -874,14 +865,13 @@
+ }
+ }
+
+- PUSH_STRING ("Content-Type: ");
+- PUSH_STRING (type);
+-
++ buf.Append("Content-Type: ");
++ buf.Append(type);
+ if (type_param && *type_param)
+ {
+ if (*type_param != ';')
+- PUSH_STRING("; ");
+- PUSH_STRING(type_param);
++ buf.Append("; ");
++ buf.Append(type_param);
+ }
+
+ if (mime_type_needs_charset (type))
+@@ -918,8 +908,8 @@
+ (PL_strcasecmp(encoding, ENCODING_BASE64) != 0)) &&
+ (*charset_label))
+ {
+- PUSH_STRING ("; charset=");
+- PUSH_STRING (charset_label);
++ buf.Append("; charset=");
++ buf.Append(charset_label);
+ }
+ }
+
+@@ -930,7 +920,7 @@
+ if(type && !PL_strcasecmp(type, "text/plain"))
+ {
+ if(UseFormatFlowed(bodyCharset))
+- PUSH_STRING ("; format=flowed");
++ buf.Append("; format=flowed");
+ // else
+ // {
+ // Don't add a markup. Could use
+@@ -942,59 +932,59 @@
+ }
+
+ if (x_mac_type && *x_mac_type) {
+- PUSH_STRING ("; x-mac-type=\"");
+- PUSH_STRING (x_mac_type);
+- PUSH_STRING ("\"");
++ buf.Append("; x-mac-type=\"");
++ buf.Append(x_mac_type);
++ buf.Append("\"");
+ }
+
+ if (x_mac_creator && *x_mac_creator) {
+- PUSH_STRING ("; x-mac-creator=\"");
+- PUSH_STRING (x_mac_creator);
+- PUSH_STRING ("\"");
++ buf.Append("; x-mac-creator=\"");
++ buf.Append(x_mac_creator);
++ buf.Append("\"");
+ }
+
+ #ifdef EMIT_NAME_IN_CONTENT_TYPE
+ if (encodedRealName && *encodedRealName) {
+ if (parmFolding == 0 || parmFolding == 1) {
+- PUSH_STRING (";\r\n name=\"");
+- PUSH_STRING (encodedRealName);
+- PUSH_STRING ("\"");
++ buf.Append(";\r\n name=\"");
++ buf.Append(encodedRealName);
++ buf.Append("\"");
+ }
+ else // if (parmFolding == 2)
+ {
+ char *rfc2231Parm = RFC2231ParmFolding("name", charset.get(),
+ nsMsgI18NGetAcceptLanguage(), encodedRealName);
+ if (rfc2231Parm) {
+- PUSH_STRING(";\r\n ");
+- PUSH_STRING(rfc2231Parm);
++ buf.Append(";\r\n ");
++ buf.Append(rfc2231Parm);
+ PR_Free(rfc2231Parm);
+ }
+ }
+ }
+ #endif /* EMIT_NAME_IN_CONTENT_TYPE */
++ buf.Append(CRLF);
+
+- PUSH_NEWLINE ();
++ buf.Append("Content-Transfer-Encoding: ");
++ buf.Append(encoding);
+
+- PUSH_STRING ("Content-Transfer-Encoding: ");
+- PUSH_STRING (encoding);
+- PUSH_NEWLINE ();
++ buf.Append(CRLF);
+
+ if (description && *description) {
+ char *s = mime_fix_header (description);
+ if (s) {
+- PUSH_STRING ("Content-Description: ");
+- PUSH_STRING (s);
+- PUSH_NEWLINE ();
++ buf.Append("Content-Description: ");
++ buf.Append(s);
++ buf.Append(CRLF);
+ PR_Free(s);
+ }
+ }
+
+ if ( (content_id) && (*content_id) )
+ {
+- PUSH_STRING ("Content-ID: <");
+- PUSH_STRING (content_id);
+- PUSH_STRING (">");
+- PUSH_NEWLINE ();
++ buf.Append("Content-ID: <");
++ buf.Append(content_id);
++ buf.Append(">");
++ buf.Append(CRLF);
+ }
+
+ if (encodedRealName && *encodedRealName) {
+@@ -1004,15 +994,15 @@
+ rv = prefs->GetIntPref("mail.content_disposition_type", &pref_content_disposition);
+ NS_ASSERTION(NS_SUCCEEDED(rv), "failed to get mail.content_disposition_type");
+
+- PUSH_STRING ("Content-Disposition: ");
++ buf.Append("Content-Disposition: ");
+
+ if (pref_content_disposition == 1)
+- PUSH_STRING ("attachment");
++ buf.Append("attachment");
+ else
+ if (pref_content_disposition == 2 &&
+ (!PL_strcasecmp(type, TEXT_PLAIN) ||
+ (period && !PL_strcasecmp(period, ".txt"))))
+- PUSH_STRING("attachment");
++ buf.Append("attachment");
+
+ /* If this document is an anonymous binary file or a vcard,
+ then always show it as an attachment, never inline. */
+@@ -1020,23 +1010,23 @@
+ if (!PL_strcasecmp(type, APPLICATION_OCTET_STREAM) ||
+ !PL_strcasecmp(type, TEXT_VCARD) ||
+ !PL_strcasecmp(type, APPLICATION_DIRECTORY)) /* text/x-vcard synonym */
+- PUSH_STRING ("attachment");
++ buf.Append("attachment");
+ else
+- PUSH_STRING ("inline");
++ buf.Append("inline");
+
+ if (parmFolding == 0 || parmFolding == 1) {
+- PUSH_STRING (";\r\n filename=\"");
+- PUSH_STRING (encodedRealName);
+- PUSH_STRING ("\"" CRLF);
++ buf.Append(";\r\n filename=\"");
++ buf.Append(encodedRealName);
++ buf.Append("\"" CRLF);
+ }
+ else // if (parmFolding == 2)
+ {
+ char *rfc2231Parm = RFC2231ParmFolding("filename", charset.get(),
+ nsMsgI18NGetAcceptLanguage(), encodedRealName);
+ if (rfc2231Parm) {
+- PUSH_STRING(";\r\n ");
+- PUSH_STRING(rfc2231Parm);
+- PUSH_NEWLINE ();
++ buf.Append(";\r\n ");
++ buf.Append(rfc2231Parm);
++ buf.Append(CRLF);
+ PR_Free(rfc2231Parm);
+ }
+ }
+@@ -1045,7 +1035,7 @@
+ if (type &&
+ (!PL_strcasecmp (type, MESSAGE_RFC822) ||
+ !PL_strcasecmp (type, MESSAGE_NEWS)))
+- PUSH_STRING ("Content-Disposition: inline" CRLF);
++ buf.Append("Content-Disposition: inline" CRLF);
+
+ #ifdef GENERATE_CONTENT_BASE
+ /* If this is an HTML document, and we know the URL it originally
+@@ -1079,9 +1069,9 @@
+ prefs->GetBoolPref("mail.use_content_location_on_send", &useContentLocation);
+
+ if (useContentLocation)
+- PUSH_STRING ("Content-Location: \"");
++ buf.Append("Content-Location: \"");
+ else
+- PUSH_STRING ("Content-Base: \"");
++ buf.Append("Content-Base: \"");
+ /* rhp - Pref for Content-Location usage */
+
+ /* rhp: this is to work with the Content-Location stuff */
+@@ -1089,34 +1079,34 @@
+
+ while (*s != 0 && *s != '#')
+ {
+- const char *ot = buffer_tail;
+-
++ PRUint32 ot=buf.Length();
++ char tmp[]="\x00\x00";
+ /* URLs must be wrapped at 40 characters or less. */
+ if (col >= 38) {
+- PUSH_STRING(CRLF "\t");
++ buf.Append(CRLF "\t");
+ col = 0;
+ }
+
+ if (*s == ' ')
+- PUSH_STRING("%20");
++ buf.Append("%20");
+ else if (*s == '\t')
+- PUSH_STRING("%09");
++ buf.Append("%09");
+ else if (*s == '\n')
+- PUSH_STRING("%0A");
++ buf.Append("%0A");
+ else if (*s == '\r')
+- PUSH_STRING("%0D");
++ buf.Append("%0D");
+ else {
+- *buffer_tail++ = *s;
+- *buffer_tail = '\0';
++ tmp[0]=*s;
++ buf.Append(tmp);
+ }
+ s++;
+- col += (buffer_tail - ot);
++ col += (buf.Length() - ot);
+ }
+- PUSH_STRING ("\"" CRLF);
++ buf.Append("\"" CRLF);
+
+ /* rhp: this is to try to get around this fun problem with Content-Location */
+ if (!useContentLocation) {
+- PUSH_STRING ("Content-Location: \"");
++ buf.Append("Content-Location: \"");
+ s = base_url;
+ col = 0;
+ useContentLocation = PR_TRUE;
+@@ -1130,10 +1120,9 @@
+ #endif /* GENERATE_CONTENT_BASE */
+
+ /* realloc it smaller... */
+- buffer = (char*) PR_REALLOC (buffer, buffer_tail - buffer + 1);
+
+ PR_FREEIF(encodedRealName);
+- return buffer;
++ return PL_strdup(buf.get());
+ }
+
+ static PRBool isValidHost( const char* host )