Buffer Overflow in Geck/Netscape 5.0/6.0?

["Jonathan A. Zdziarski" <jonathan () networkdweebs com>]

We've been investigating a problem that seems to occur whenever Netscape
6.0 or Mozilla Gecko 5.0 receive Multipart/Mixed information, that
appears to be a buffer overflow or in the code.  At the very least,
there appears to be a condition allowing a partial memory dump to the
screen.

Please view the screenshot at http://www.networkdweebs.com/screenbug.gif
and you will notice that prior to any useful text in the window is a
couple lines of junk text.  This text appears to be random every time,
and in fact, some of the text that was actually sent as the HTML code is
not even being displayed.  After thoroughly testing our code, as well as
Apache's web server code, we've come to the conclusion that the cause of
this must be the web browser itself.  Netscape v4.x does not experience
this problem nor do any versions of MSIE. 

 I've included a snippett of the packet data taken from a snoop, which
shows that the data being sent to the web browser is correct and does
not contain this junk information.  For a complete transcript of the
packet data, see http://www.networkdweebs.com/screenbug.txt

I've tried contacting netscape but to no avail.  This problem seems to
affect both Linux and Windows web browsers.  I'd love to hear from
anyone with any useful information about this.

[SNIP]

           0: 00d0 7d04 2ba3 00e0 1807 1aed 0800 4500
..}.+.........E.
          16: 0072 1dd5 4000 4006 4d74 d133 8842 a228
.r..@.@.Mt.3.B.(
          32: d39e 1f90 6fbd bd69 718b d56b 9e94 8018
....o..iq..k....
          48: 8218 66a8 0000 0101 080a 032c efa8 0000
..f........,....
          64: f5cb 4854 5450 2f31 2e31 2032 3030 0a43    ..HTTP/1.1
200.C
          80: 6f6e 7465 6e74 2d74 7970 653a 206d 756c    ontent-type:
mul
          96: 7469 7061 7274 2f6d 6978 6564 3b62 6f75
tipart/mixed;bou
         112: 6e64 6172 793d 424c 4148 424c 4148 0a0a
ndary=BLAHBLAH..

           0: 00d0 7d04 2ba3 00e0 1807 1aed 0800 4500
..}.+.........E.
          16: 00da 1dd6 4000 4006 4d0b d133 8842 a228
....@.@.M..3.B.(
          32: d39e 1f90 6fbd bd69 71c9 d56b 9e94 8018
....o..iq..k....
          48: 8218 7593 0000 0101 080a 032c efa9 0000
..u........,....
          64: f5cb 3c48 544d 4c3e 3c42 4f44 5920 4247    ..<HTML><BODY
BG
          80: 434f 4c4f 523d 4646 4646 4646 2054 4558    COLOR=FFFFFF
TEX
          96: 543d 3030 3030 3030 204c 494e 4b3d 3030    T=000000
LINK=00
         112: 3838 4646 2056 4c49 4e4b 3d46 4638 3846    88FF
VLINK=FF88F
         128: 463e 0a2d 2d42 4c41 4842 4c41 480a 436f
F>.--BLAHBLAH.Co
         144: 6e74 656e 742d 7479 7065 3a20 7465 7874    ntent-type:
text
         160: 2f68 746d 6c0a 0a3c 4854 4d4c 3e3c 424f
/html..<HTML><BO
         176: 4459 2042 4743 4f4c 4f52 3d46 4646 4646    DY
BGCOLOR=FFFFF
         192: 4620 5445 5854 3d30 3030 3030 3020 4c49    F TEXT=000000
LI
         208: 4e4b 3d30 3038 3846 4620 564c 494e 4b3d    NK=0088FF
VLINK=
         224: 4646 3838 4646 3e0a                        FF88FF>.

           0: 00d0 7d04 2ba3 00e0 1807 1aed 0800 4500
..}.+.........E.
          16: 01e9 1dd9 4000 4006 4bf9 d133 8842 a228
....@.@.Kù.3.B.(
          32: d39e 1f90 6fbd bd69 726f d56b 9e94 8018
....o..iro.k....
          48: 8218 1bff 0000 0101 080a 032c efb3 0000
...........,....
          64: f5cb 3c46 4f4e 5420 4641 4345 3d41 5249    ..<FONT
FACE=ARI
          80: 414c 2053 495a 453d 2b31 3e3c 423e 426f    AL
SIZE=+1><B>Bo
          96: 623c 2f46 4f4e 543e 3c2f 423e 205b 3c46    b</FONT></B>
[<F
         112: 4f4e 5420 434f 4c4f 523d 424c 5545 206f    ONT COLOR=BLUE
o
         128: 6e4d 6f75 7365 4f76 6572 3d22 7374 796c
nMouseOver="styl
         144: 652e 666f 6e74 5765 6967 6874 3d27 626f
e.fontWeight='bo

[SNIP]