Crashing from parser in call to Append

VERIFIED FIXED

Status

()

defect
P3
critical
VERIFIED FIXED
20 years ago
20 years ago

People

(Reporter: bratell, Assigned: rickg)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

()

Overview Description:
When trying to surf the web with a home built mozilla from 18 July 1999 I
consistantly crash with the stack shown below. It happens within the first 2-3
visited pages. The actual error is accessing the wrong memory. I first mentioned
this in bug 10075 but I think it can be different than that on so I opens a new
one.

As I mention there I find it most interesting that the last function in the
stack, nsCRT::strlen, is called with an argument of 0x00e01000 and the next to
last, nsString::Append, is called with 0x00e00808. If I read the code correctly
the two should be the same. I hope that it isn't a race condition of some kind
knowing how hard they can be to find and reproduce.

Since the call to the nsString class comes from the Parser I mark the bug as a
such but I really don't know.

Steps to Reproduce:
1) Start apprunner.exe
2) Visit a page or two

Actual Results:
A crash with the following stack trace. It's accessing the variable s that
triggers the exception.

nsCRT::strlen(const unsigned short * 0x00e01000) line 261 + 5 bytes
nsString::Append(const unsigned short * 0x00e00808, int 999) line 1017 + 9 bytes
nsScanner::Append(const char * 0x00e88298, unsigned int 999) line 256
nsParser::OnDataAvailable(nsParser * const 0x0217a9a4, nsIURI * 0x02111290,
nsIInputStream * 0x02190f70, unsigned int 999) line 1142
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x02111310,
nsIURI * 0x02111290, nsIInputStream * 0x02190f70, unsigned int 999) line 2023 +
24 bytes
OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const
0x02193b10) line 634
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x02193b14) line 473 + 12
bytes
PL_HandleEvent(PLEvent * 0x02193b14) line 509 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00cc9450) line 470 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00240e32, unsigned int 49481, unsigned int 0,
long 13407312) line 932 + 9 bytes
USER32! 77e71820()
00cc9450()

Expected Results:
Nothing special

Build Date & Platform Bug Found:

18 July 1999, Windows NT 4.0 SP5
Built with Visual C++ 6 SP3.

Additional Builds and Platforms Tested On:
None
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Fixed by last update to nsString. Allow non-null terminated string in cases
where length is given.
Status: RESOLVED → VERIFIED
I can verify that it works now.
You need to log in before you can comment on or make changes to this bug.