Closed
Bug 166835
Opened 22 years ago
Closed 22 years ago
10.2: InitWithNativePath crashes when given a path with an extremely long component
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: ccarlen, Assigned: ccarlen)
References
()
Details
(Keywords: crash)
Attachments
(4 files)
Bug 160006 and bug 159987 are both manifestations of this problem - combining into this bug.
Assignee | ||
Comment 1•22 years ago
|
||
*** Bug 160006 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 2•22 years ago
|
||
*** Bug 159987 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•22 years ago
|
||
Other test case: http://hopey.mcom.com/tests/security/buffer-overflow/a-value.html For both, the file must be saved locally to see the crash. This is happening only on 10.2 with the nsLocalFile impl used by Chimera. The crash happens because ::CFURLGetFSRef crashes when fed such a path - new bug in 10.2.
Status: NEW → ASSIGNED
Comment 4•22 years ago
|
||
thanks to sfraser for the testcase.
Comment 5•22 years ago
|
||
all you need to do to crash is click the link to attachment 97983 [details] --you don't
even have to download it locally. the change here is that "file:///" was
prepended to the src value.
going to come up with more tests to narrow this down...
Severity: normal → critical
Assignee | ||
Comment 6•22 years ago
|
||
Comment 7•22 years ago
|
||
more tests... a. Where the IMG src value is in the format file:///<400_alphanumeric_char>/blah.txt: http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol1.html b. Where the IMG src value is in the format file:///foopy/<396_alphanumeric_char>.txt: http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol2.html c. Where the IMG src value is in the format "file:///<400_alphanumeric_char>/<396_alphanumeric_char>.txt: http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol3.html
Comment 8•22 years ago
|
||
none of the three tests in comment 9 crashed chimera (2002.09.05.05) on 10.2.
Comment 9•22 years ago
|
||
Comment on attachment 97994 [details] [diff] [review] immediately rejects paths with are too long r=sfraser
Attachment #97994 -
Flags: review+
Comment 10•22 years ago
|
||
tested IE: none of the tests (comment 9 or the attachment) caused a crash. tested OmniWeb: like chimera, the tests in comment 9 are fine, but the test attachment resulted in a crash.
Comment 11•22 years ago
|
||
clicking on this will cause chimera to crash.
Comment 12•22 years ago
|
||
similar to attachment 98007 [details], except that the 1024th character has been replaced
with / (forward slash). clicking this also crashes chimera.
Comment 13•22 years ago
|
||
side note: when the path was 1024-1030 char long, i did get a crash.
Comment 14•22 years ago
|
||
arrgh, typo. s/did/did NOT. 1024-1030 char path would not result in a crash.
Assignee | ||
Comment 15•22 years ago
|
||
Fixed - works against the latest two test cases (whew - which were being posted as I was checking in fix)
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•