Closed
Bug 10204
Opened 25 years ago
Closed 25 years ago
Crash in RDFContentSinkImpl::FlushText from unterminated PRUnichar*
Categories
(Core Graveyard :: RDF, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
M9
People
(Reporter: kherron+mozilla, Assigned: waterson)
Details
Apprunner is segfaulting during startup before any window appears:
#0 0x401b133a in nsCRT::strlen (s=0x8275002) at
../../../mozilla/xpcom/ds/nsCRT.cpp:261
#1 0x401c0792 in nsString::Append (this=0xbfffebfc, aString=0x8271008,
aCount=37)
at ../../../mozilla/xpcom/ds/nsString2.cpp:1017
#2 0x40a4984a in RDFContentSinkImpl::FlushText (this=0x821a208,
aCreateTextNode=1,
aDidFlush=0x0) at ../../../../mozilla/rdf/base/src/nsRDFContentSink.cpp:826
#3 0x40a48bdc in RDFContentSinkImpl::CloseContainer (this=0x821a208,
aNode=@0xbfffed68)
at ../../../../mozilla/rdf/base/src/nsRDFContentSink.cpp:536
#4 0x402f6cee in CWellFormedDTD::HandleToken (this=0x8267b48, aToken=0x826f708,
aParser=0x8240008) at
../../../mozilla/htmlparser/src/nsWellFormedDTD.cpp:523
#5 0x402f6220 in CWellFormedDTD::BuildModel (this=0x8267b48, aParser=0x8240008,
aTokenizer=0x826aa88, anObserver=0x0, aSink=0x821a208)
at ../../../mozilla/htmlparser/src/nsWellFormedDTD.cpp:252
#6 0x402ee9fc in nsParser::BuildModel (this=0x8240008)
at ../../../mozilla/htmlparser/src/nsParser.cpp:932
#7 0x402ee8c6 in nsParser::ResumeParse (this=0x8240008, aDefaultDTD=0x0,
aIsFinalChunk=0) at ../../../mozilla/htmlparser/src/nsParser.cpp:879
[etc.]
Going up to level 2 and examining the prunichar* that is being passed to
nsString::Append, it's not NUL-terminated:
(gdb) up 2
#2 0x40a4984a in RDFContentSinkImpl::FlushText (this=0x821a208,
aCreateTextNode=1,
aDidFlush=0x0) at ../../../../mozilla/rdf/base/src/nsRDFContentSink.cpp:826
826 value.Append(mText, mTextLength);
(gdb) p mTextLength
$1 = 37
(gdb) p mText[35]
$2 = 116
(gdb) p mText[36]
$3 = 47
(gdb) p mText[37]
$4 = 50629
(gdb)
$5 = 50629
(gdb) down 2
#0 0x401b133a in nsCRT::strlen (s=0x8275002) at
../../../mozilla/xpcom/ds/nsCRT.cpp:261
261 while (*s++ != 0) {
(gdb) p len
$6 = 8188
(gdb)
This caused nsCRT::strlen to go beyond the end of valid memory trying to find
the length of the string.
I reported this before (bug 10075) but it was handled as a bug in
nsString::Append. Rickg's position is that nsString::Append is correct, and
callers should be NUL-terminating strings passed to it.
|
Assignee | |
Comment 1•25 years ago
|
||
Yep, this was caused by rickg's stealth-change to the nsString::Append API. My belief is that nsString2::Append() _should_ pay attention to the length field (a la strncat()), we can hash this out on this thread: news://news.mozilla.org/3794AAB8.558D40F6%40netscape.com
|
|
Assignee | |
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 2•25 years ago
|
||
Okay, I'll just shut up: rickg fixed this this morning.
verified on
1999-07-26-14 RedHat Linux 5.2 (GNOME/enlightenment)
1999-07-26-08 WinNT 4.0 sp4
1999-07-26-08 MacOS 8.51Status: RESOLVED → VERIFIED
|
||
Updated•6 years ago
|
Product: Core → Core Graveyard
| Comment hidden (collapsed) |
You need to log in
before you can comment on or make changes to this bug.
Description
•