24975 - stack corrupter in nsWindow.cpp

Status: VERIFIED FIXED

(Core :: XUL, defect, P3)

Description

[Colin Blake]

Frank,

Your Jan 9 checkin to widget/src/gtk/nsWindow.cpp introduced a stack corruptor 
bug (this is rev 1.225). In the new hunk of code that was added:
  - titleStr is declared as 256 bytes 
  - then destLen is set to 256 
  - then titleStr[destLen] to set to zero.

This is setting the 257'th byte to zero, ie. you writing beyond the end of the 
allocated buffer, and thus corrupting whatever happens to be on the stack.

I have no idea why other platforms aren't seeing it, as it was preventing 
Mozilla from starting up on OpenVMS. I guess they just got lucky!

Colin.

Comment 1

[Frank Tang]

you are right, that line of code is a bad left over of a copy and paste. It 
should be remove . I will check in when the tree is open. In the mean time, 
please remove that line in your local build.

Comment 2

[Frank Tang]

Here is the patch- 
Index: nsWindow.cpp
===================================================================
RCS file: /m/pub/mozilla/widget/src/gtk/nsWindow.cpp,v
retrieving revision 1.231
diff -c -r1.231 nsWindow.cpp
*** nsWindow.cpp        2000/01/21 21:55:42     1.231
--- nsWindow.cpp        2000/01/26 03:15:49
***************
*** 1893,1905 ****
      titleStr[0] = 0;
      PRInt32 srcLen = aTitle.Length() + 1;
      PRInt32 destLen = sizeof(titleStr);
-     titleStr[destLen] = 0;
      result = converter->Convert(aTitle.GetUnicode(), &srcLen, titleStr,
        &destLen);
      NS_ASSERTION(NS_SUCCEEDED(result), "cannot convert title string");
      if (titleStr[0] && NS_SUCCEEDED(result)) {
        titleStr[destLen] = 0;
- printf("title string = [%s]\n", titleStr);
        gtk_window_set_title(GTK_WINDOW(mShell), titleStr);
        return NS_OK;
      }
--- 1893,1903 ----                                          
i18ngrp, can someone review it and give me a ok ?

Comment 3

[Frank Tang]

fix and check in with other gtk changes (accent key bugs)

Comment 4

[Paul MacQuiddy]

verified