Closed Bug 225125 Opened 21 years ago Closed 21 years ago

open / save dialog (file picker) causes crash with files with characters outside the repertoire of the current locale encoding in their names

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mikael, Assigned: jshin1987)

References

Details

(Keywords: crash, intl)

Attachments

(1 file, 1 obsolete file)

a patch
2.61 KB, patch
smontagu
: review+
darin.moz
: superreview+
mkaply
: approval1.6+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20031029
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20031029

With filenames of certain length and with certain characters in the directory
mozilla tries to show in the open/save dialogs causes imidiate crash (you never
even see which directory it is trying to show)

Example of a filename: "ehy dajf oisa (2000) ks zz dd Z - jsadoif å 244728.txt"
(without the quotes and notice the character "å" dec: 134, hex: 86)

Reproducible: Always

Steps to Reproduce:
1. Command line: echo "test" > "ehy dajf oisa (2000) ks zz dd Z - jsadoif å
244728.txt"
2. Mozilla: Open-File and go to directory contaning the file created above.
3. Mozilla: Open dialog goes white, crash after 1-2 seconds.

Actual Results:  
Crash

Expected Results:  
Shown the files in the directory.

Same results on Mozilla 1.5.
what does "locale" output on your system?
It was set to "POSIX", when I changed it to "sv_SE" Mozilla doesn't crash.
Thanks. But should POSIX really cause Mozilla to crash?
Given an nsCOMPtr<nsIFile> pointing to that file, if I call GetLeafName the
nsCOMPtr value gets clobbered to 0x1 (and the release() it does in its
destructor crashes, of course).  All this only in the POSIX locale so far...

If I replace NS_CopyNativeToUnicode with CopyASCIItoUCS2 in the GET_UCS macro,
things seem to be good...

Now the string we pass to the macro is in fact the leafname of that file (with
that non-ASCII char in it).

The problem, of course, is that NS_CopyNativeToUnicode is just busted.  It calls
nsNativeCharsetConverter::NativeToUnicode, which calls xp_iconv to do the
conversion.  If this fails, instead of returning an error (which would be
useful) it warns and tries to call isolatin1_to_utf16.

But the problem, is that it passes the same pointer-to-buffer to
isolatin1_to_utf16 that it passed to xp_iconv.  xp_iconv increments this
pointer-to-buffer (see "man 3 iconv", information on the outbuf**).  Oh, it
increments the input buffer pointer too.  So the point is, after the xp_iconv
call, the "input" and "output" pointers are bogus, especially if the conversion
failed... In any case, using the updated "input" but NOT the updated "inputLeft"
(which is what we do) is just wrong -- we will read off the end of the input
string, in addition to everything else.  So I suspect we simply end up running
off the end of the internal buffer of the output string and writing all over the
stack.  The fact that the filename is 71 chars means it's long enough for that
to happen (the internal buffer is only 80 chars, as I recall).
Assignee: file-handling → smontagu
Status: UNCONFIRMED → NEW
Component: File Handling → Internationalization
Ever confirmed: true
QA Contact: amyy
Attached patch Illustration (obsolete) — Splinter Review 
This patch fixes the crash by keeping us from running off the end of the output
string... not that this makes us have anything like correct behavior, so it
shouldn't be checked in, but it does confirm my theory... ;)
Keywords: crash
I'm wondering what to do with this bug. We might want to 'fix' this in steps. 
To prevent the crash, I guess bz's patch is fine except that the
equivalent has to be done in #UTF8_FALLBACK block. 

Then, we should do the right thing. That is, we have to handle errors from
iconv(3) more gracefully. Replacing unconvertible chars by '?' is one of
ways we can pursue.  
The right way to fix this bug, imo, is to pass _copies_ of the pointers to the
data to iconv, so when it advances the pointers we still have the originals and
can try calling iconv with them in the fallback.

This bug totally slipped off my radar, but imo it should be a blocker for 1.6;
we need to either fix the crash or remove the fallback until we can do it right
for this release....
Flags: blocking1.6?
*** Bug 219969 has been marked as a duplicate of this bug. ***
Summary: open / save dialog causes crash with certain files in current/home directory → open / save dialog (file picker) causes crash with certain files (non-ascii characters) in current/home directory
re comment #6: yes, let's do the former. Later, we can work on what I suggested 
in the 2nd para of comment #5. Do you want me to make a patch (you're still out 
of town, right?)? As smontagu is on vacation, I'm taking it over.
Assignee: smontagu → jshin
Keywords: intl
Summary: open / save dialog (file picker) causes crash with certain files (non-ascii characters) in current/home directory → open / save dialog (file picker) causes crash with files with characters outside the repertoire of the current locale encoding in their names
Attached patch a patchSplinter Review 
After writing my last comment, I realized that the approach of attachment
135131 [details] [diff] [review](bz's original patch) is better than what he suggested later. With that
approach, we have a higher chance of showing filenames 'correctly' (at least up
to the point where an invalid input is detected) than otherwise. This patch is
an extension to attachment 135131 [details] [diff] [review] for platforms where UTF-8 fallback is used
(e.g. Solaris)
Attachment #135131 - Attachment is obsolete: true
Comment on attachment 137696 [details] [diff] [review]
a patch

>Index: xpcom/io/nsNativeCharsetUtils.cpp

>+    // back up input and ouput pointers for the fallback case
>+    const char *in = *input;
>+    PRUnichar *out = *output;
>+

Sorry, the above lines should have been removed before I made a patch.

With that in mind, would you review?
Attachment #137696 - Flags: superreview?(darin)
Attachment #137696 - Flags: review?(dougt)
Flags: blocking1.6? → blocking1.6+
Attachment #137696 - Flags: superreview?(darin) → superreview+
Comment on attachment 137696 [details] [diff] [review]
a patch

I'm not sure that I agree with comment 9, specifically that "With that
approach, we have a higher chance of showing filenames 'correctly' (at least up
to the point where an invalid input is detected) than otherwise."

If a filename contains an invalid codepoint in what we believed to be the
encoding, doesn't that make it more likely that what we already decoded
contained codepoints that were nominally valid, but still incorrect? I guess it
depends on the scenario, and which exact encodings are involved.

Since a crash is involved, the approach suggested in comment 5 makes sense.
r=smontagu and let's work on doing the right thing later.
Attachment #137696 - Flags: review?(dougt) → review+
Yeah, now I agree with you (comment #11). After uploading the patch, asking for
r/sr, working on bug 229032 (where I want to replace some calls to our
converters with native charset utils),  I realized that either just returning an
error or implementing bz's second option (doing the fallback conversion from the
beginning instead of the place where invalid octets are found) is more 'robust'
even as the _first_ step. I'm landing it now because it'll stop crash and gonna
ask for a1.6


During 1.7-cycle, we have to decide exactly what to do (return NS_FAILURE_XXX,
NS_SUCCESS_YYYY, what fallback to use...). So, I'll keep this open.
so did this make it into 1.6?  if so lets mark fixed, and reopen another bug for
the continuing work...  that will make sure the right things happen for testing,
verification, and tracking of 1.6 changes...
If we want this for 1.6, someone who feels confident about the patch needs to
request approval...
Comment on attachment 137696 [details] [diff] [review]
a patch

asking for a1.6
(I wanted to try one more time before asking for a1.6)

This is to prevent Mozilla from crashing when it comes across a long filename
with characters not covered by the current locale encoding. 

affected platform : Linux and other Unix platforms with iconv


risk : low. this patch adds a fallback to prevent crash.
Attachment #137696 - Flags: approval1.6?
Comment on attachment 137696 [details] [diff] [review]
a patch

a=mkaply - please get this in quickly.
Attachment #137696 - Flags: approval1.6? → approval1.6+
fix checked into the trunk
 sorry for bug spam. s/the trunk/the 1.6branch/________________________
   for further work discussed, I'm keeping it open._
Status: NEW → ASSIGNED
need to mark this one fixed, and open a new bug for the future work.   that
ensures that testing, release note, and chance tracking logs for the release
will pick up this work as part of 1.6.   thx...
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
*** Bug 236927 has been marked as a duplicate of this bug. ***
*** Bug 217724 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: