Closed Bug 161634 Opened 22 years ago Closed 22 years ago

[ps] envvar should not be freed after PR_SetEnv

Categories

(Core :: Printing: Output, defect)

Product:
Core
Component:
Printing: Output
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.2alpha

People

(Reporter: ajschult784, Assigned: roland.mainz)

References

Details

(Keywords: fixedOEM)

Attachments

(3 files, 2 obsolete files)

New patch for 2002-08-04-08-trunk
2.07 KB, patch
dcone
: review+
Details | Diff | Splinter Review
same as previous one, using diff -u
2.31 KB, patch
bzbarsky
: superreview+
Details | Diff | Splinter Review
final patch(r=dcone, sr=bzbarsky)
2.32 KB, patch
jesup
: review+
jesup
: superreview+
jesup
: approval+
Details | Diff | Splinter Review 
this is a regression from bug 84947
http://lxr.mozilla.org/mozilla/source/gfx/src/ps/nsPostScriptObj.cpp#381

381         PR_SetEnv(envvar);
382         free(envvar);

this is bad.  Linux seems to copy by reference instead of copying the data. 
From prenv.h:

**   The caller must ensure that the string passed
**   to PR_SetEnv() is persistent. That is: The string should
**   not be on the stack, where it can be overwritten
**   on return from the function calling PR_SetEnv().
**   Similarly, the string passed to PR_SetEnv() must not be
**   overwritten by other actions of the process. ... Some
**   platforms use the string by reference rather than copying
**   it into the environment space. ... You have been warned!
I'd say this is more like critical... this is a crash or security problem
waiting to happen.
Severity: normal → critical
PR_SetEnv is sitting on top of putenv on unix and the putenv semantics 
require that a name=value string be used as is. The address is put into 
the new environment but the string itself is *not* copied. It's used as 
is. A wonderful way to leak memory and cause crashes.

Maybe this is actually a nspr bug, nsprpub/pr/include/prenv.h says
 NSPR_API(PRStatus) PR_SetEnv(const char *string);
but, if you build mozilla with enough warnings turned on, you'll get a 
message about the function discarding 'const'. A big hint if anyone ever 
looks at warnings.
Nice catch... :)
... accepting bug.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.2alpha
*** Bug 143480 has been marked as a duplicate of this bug. ***
Summary: envvar should not be freed after PR_SetEnv → [ps] envvar should not be freed after PR_SetEnv
*** Bug 136146 has been marked as a duplicate of this bug. ***
Attached patch Patch for 2002-08-04-08-trunk (obsolete) — Splinter Review 
I replaced the dynamically allocated buffer with a |static| buffer - this
should be sufficient to fix the problem.
Keywords: patch, review
The first patch does only work the first time we print, any following print
session doesn't work since we're writing to memory which is still linked to the
env var pool... - this new patch should fix that (in theory) ...
Attachment #94581 - Attachment is obsolete: true
dcone, syd
can you r=
Comment on attachment 94588 [details] [diff] [review]
New patch for 2002-08-04-08-trunk

r=dcone
Attachment #94588 - Flags: review+
Comment on attachment 94588 [details] [diff] [review]
New patch for 2002-08-04-08-trunk

>+        PR_SetEnv("MOZ_PRINTER_NAME=dummy_value_to_make_putenv_happy");
>+
>         sprintf(envvar, "MOZ_PRINTER_NAME=%s", printername);

That needs to become an snprintf so we don't write outside our buffer, no?
Attachment #94588 - Flags: needs-work+
Attached patch new patch (obsolete) — Splinter Review 
using snprintf instead sprintf for safty

        Attachment #95345 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 95354 [details] [diff] [review]
same as previous one, using diff -u

> nchars > ARG_MAX

that should be '>=', not '>' (since if your string is ARG_MAX chars it will get
truncated by one char and ARG_MAX will be the return value with recent libc
versions).  

sr=bzbarsky with that change.

        Attachment #95354 -
        Flags: superreview+

    
    

    
  
actaully, as Louie just noticed, that should not be "return sprintf".  And the
temporary should be PRInt32, not "int".

    
    

    
  
checked in trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
  
Whiteboard: branchOEM

    
  
Whiteboard: branchOEM → branchOEM+

    
    

    
  
checked in NETSCAPE_7_0_OEM_BRANCH (a=jdunn)
Whiteboard: branchOEM+ → branchOEM+ fixedOEM

    
  
Keywords: review
Whiteboard: branchOEM+ fixedOEM → fixedOEM

    
    

    
  
*** Bug 134914 has been marked as a duplicate of this bug. ***

    
  
Blocks: 168057

    
    

    
  
Nominating for 1.0.2-branch...
Keywords: mozilla1.0.2

    
    

    
  
Comment on attachment 95361 [details] [diff] [review]
final patch(r=dcone, sr=bzbarsky)

Marking the r/sr.
a=rjesup@wgate.com for 1.0 branch.  you know the drill

        Attachment #95361 -
        Flags: superreview+

        Attachment #95361 -
        Flags: review+

        Attachment #95361 -
        Flags: approval+

    
  
Keywords: fixedOEM
Whiteboard: fixedOEM

    
    

    
  
*** Bug 172726 has been marked as a duplicate of this bug. ***

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: