Closed Bug 166835 Opened 22 years ago Closed 22 years ago

10.2: InitWithNativePath crashes when given a path with an extremely long component

Categories

(Core :: XPCOM, defect)

PowerPC
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: ccarlen, Assigned: ccarlen)

References

()

Details

(Keywords: crash)

Attachments

(4 files)

Bug 160006 and bug 159987 are both manifestations of this problem - combining
into this bug.
*** Bug 160006 has been marked as a duplicate of this bug. ***
*** Bug 159987 has been marked as a duplicate of this bug. ***
Other test case: http://hopey.mcom.com/tests/security/buffer-overflow/a-value.html

For both, the file must be saved locally to see the crash.
This is happening only on 10.2 with the nsLocalFile impl used by Chimera.
The crash happens because ::CFURLGetFSRef crashes when fed such a path - new bug
in 10.2.
Status: NEW → ASSIGNED
thanks to sfraser for the testcase.
all you need to do to crash is click the link to attachment 97983 [details] --you don't
even have to download it locally. the change here is that "file:///" was
prepended to the src value.

going to come up with more tests to narrow this down...
Severity: normal → critical
more tests...

a. Where the IMG src value is in the format
file:///<400_alphanumeric_char>/blah.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol1.html

b. Where the IMG src value is in the format
file:///foopy/<396_alphanumeric_char>.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol2.html

c. Where the IMG src value is in the format
"file:///<400_alphanumeric_char>/<396_alphanumeric_char>.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol3.html
none of the three tests in comment 9 crashed chimera (2002.09.05.05) on 10.2.
Comment on attachment 97994 [details] [diff] [review]
immediately rejects paths with are too long

r=sfraser
Attachment #97994 - Flags: review+
tested IE: none of the tests (comment 9 or the attachment) caused a crash.

tested OmniWeb: like chimera, the tests in comment 9 are fine, but the test
attachment resulted in a crash.
clicking on this will cause chimera to crash.
similar to attachment 98007 [details], except that the 1024th character has been replaced
with / (forward slash). clicking this also crashes chimera.
side note: when the path was 1024-1030 char long, i did get a crash.
arrgh, typo. s/did/did NOT. 1024-1030 char path would not result in a crash.
Fixed - works against the latest two test cases (whew - which were being posted
as I was checking in fix)
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: