Closed Bug 29279 Opened 25 years ago Closed 25 years ago

Crash when loading urls greater than 100 characters

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Platform:
x86
Other
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: mscott, Assigned: mscott)

References

Details

(Keywords: crash, regression)

Attachments

(1 file)

proposed fix
929 bytes, patch
Details | Diff | Splinter Review 
In a mozilla win32 build from this morning. If I try to click on a bookmark for
a bugzilla query I have, I crash with the following stack trace:

nsURLEscape(const char * 0x0484d340, short 256, nsCString & {...}) line 108 + 3
bytes
nsAppendURLEscapedString(nsCString & {...}, const char * 0x0484d340, short 256)
line 117 + 18 bytes
nsStdURL::AppendString(nsCString & {...}, char * 0x0484d340, nsStdURL::Format
ESCAPED, short 256) line 290 + 18 bytes
nsStdURL::GetPath(nsStdURL * const 0x048db190, char * * 0x0012d690) line 780 +
26 bytes
nsStdURL::GetSpec(nsStdURL * const 0x048db190, char * * 0x0012d76c) line 373 +
16 bytes
LocationImpl::SetHrefWithBase(const nsString &
{"http://bugzilla.mozilla.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=mscott%40netscape.com&em"},
nsIURI * 0x04042ed0, int 1) line 377 + 42 bytes
LocationImpl::SetProperty(JSContext * 0x031e5600, JSObject * 0x03749148, long
39200436, long * 0x0012e590) line 812 + 30 bytes
nsJSUtils::nsCallJSScriptObjectSetProperty(nsISupports * 0x0484c8c4, JSContext *
0x031e5600, JSObject * 0x03749148, long 39200436, long * 0x0012e590) line 241 +
27 bytes

nsURLEscape uses a tempBuffer that is 100 bytes long. I'm seeing us access
values well outside of this buffer. i.e. tempBufferPos is a really large number.
Keywords: regression
I believe if (tempBuffer == 96) should be tempBuffer >= 96 in nsURLEscape

If tempBufferPos was 95 when the three lines above happen, it is 98 when it hits 
the if statement.
mkaply is right. Putterman just came by my cube to fix this bug and he did the
same thing on my machine.

I can check this in if someone will give me approval.
Attached patch proposed fixSplinter Review 

    
    

    
  
I checked in a fix for this tonight since Warren hasn't had a chance to look at
this yet.

Assignee: warren → mscott

    
    

    
  
fix checked in.

Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED

    
    

    
  
*** Bug 29503 has been marked as a duplicate of this bug. ***

    
    

    
  
Adding crash keyword
Keywords: crash

    
    

    
  
verified:  NT 2000042009
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: