Closed Bug 111837 Opened 24 years ago Closed 24 years ago

Array bounds read in nsBaseURLParser::ParsePath

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 110884

People

(Reporter: stephend, Assigned: darin.moz)

Details

Build ID: Latest Win32 trunk CVS pull, Windows 2000 (Running Purify) Steps to Reproduce: 1. mozilla.exe -compose (HTML) 2. in the addressing widget, type, 'stephend@netscape.com'. 3. click on the attachment area, and attach a plain text document. 4. type 'foobar' in the message body. 5. hit send. 6. OK the 'no subject' dialog. 7. exit. [E] ABR: Array bounds read in nsBaseURLParser::ParsePath(char const*,int,UINT *,int *,UINT *,int *,UINT *,int *,UINT *,int *) {1 occurrence} Reading 1 byte from 0x094fa13f (1 byte at 0x094fa13f illegal) Address 0x094fa13f is 1 byte before the beginning of a 17 byte block at 0x094fa140 Address 0x094fa13f points to a malloc'd block in heap 0x02920000 Thread ID: 0x194 Error location nsBaseURLParser::ParsePath(char const*,int,UINT *,int *,UINT *,int *,UINT *,int *,UINT *,int *) [nsURLParsers.cpp:255] const char *query_beg = 0, *query_end = 0; const char *ref_beg = 0; const char *p = 0; => for (p = path; *p; ++p) { // only match the query string if it precedes the reference fragment if (!ref_beg && !query_beg && *p == '?') query_beg = p + 1; nsStandardURL::ParsePath(char const*,UINT,int) [nsStandardURL.cpp:487] &mFilePath.mPos, &mFilePath.mLen, &mParam.mPos, &mParam.mLen, &mQuery.mPos, &mQuery.mLen, => &mRef.mPos, &mRef.mLen); if (NS_FAILED(rv)) return rv; mFilePath.mPos += pathPos; nsStandardURL::SetPath(char const*) [nsStandardURL.cpp:1027] } // and finally, parse the new path => ParsePath(mSpec.get(), mPath.mPos, -1); } else if (mPath.mLen > 1) { mSpec.Cut(mPath.mPos + 1, mPath.mLen - 1); nsStandardURL::SetFileName(char const*) [nsStandardURL.cpp:1400] LOG(("nsStandardURL::SetFileName [filename=%s]\n", filename)); if (mPath.mLen < 0) => return SetPath(filename); if (!(filename && *filename)) { // remove the filename nsMsgComposeAndSend::AddCompFieldLocalAttachments(void) [nsMsgSend.cpp:2128] if (fileUrl) { //First try using the real file name => rv = fileUrl->SetFileName(m_attachments[newLoc].m_real_name); if (NS_SUCCEEDED(rv)) { rv = fileUrl->GetFileExtension(getter_Copies(fileExt)); nsMsgComposeAndSend::HackAttachments(nsMsgAttachmentData const*,nsMsgAttachedFile const*) [nsMsgSend.cpp:2342] // // First, we need to attach the files that are defined in the comp fields... => if (NS_FAILED(AddCompFieldLocalAttachments())) return NS_ERROR_INVALID_ARG; // Now handle the preloaded attachments... nsMsgComposeAndSend::Init(nsIMsgIdentity *,nsMsgCompFields *,nsFileSpec *,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,char const*) [nsMsgSend.cpp:2949] mSmtpPassword = password; => return HackAttachments(attachments, preloaded_attachments); } nsresult nsMsgComposeAndSend::CreateAndSendMessage(nsIEditorShell *,nsIMsgIdentity *,nsIMsgCompFields *,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,void *,nsIDOMWindowInternal *,nsIMsgProgress *,nsIMs [nsMsgSend.cpp:3699] attachment1 [details] [diff] [review]_type, attachment1 [details] [diff] [review]_body, attachment1 [details] [diff] [review]_body_length, attachments, preloaded_attachments, => password); if (NS_FAILED(rv) && mSendReport) mSendReport->SetError(nsIMsgSendReport::process_Current, rv, PR_FALSE); nsMsgCompose::_SendMsg(int,nsIMsgIdentity *,int) [nsMsgCompose.cpp:874] m_window, // nsIDOMWindowInternal *parentWindow; mProgress, // nsIMsgProgress *progress, sendListener, // listener => mSmtpPassword.get()); // Cleanup converted body... if (newBody) nsMsgCompose::SendMsg(int,nsIMsgIdentity *,nsIMsgProgress *) [nsMsgCompose.cpp:980] mProgress->OnStateChange(nsnull, nsnull, nsIWebProgressListener::STATE_START, 0); } => rv = _SendMsg(deliverMode, identity, entityConversionDone); if (NS_FAILED(rv)) { nsCOMPtr<nsIMsgSendReport> sendReport; Allocation location malloc [msvcrt.DLL] PR_Malloc [prmem.c:50] nsMemory::Alloc(UINT) [nsMemoryImpl.cpp:556] if (gMemory == nsnull) { EnsureGlobalMemoryService(); } => return gMemory->Alloc(size); } NS_EXPORT void* nsStr::EnsureCapacity(nsStr&,UINT) [nsStr.cpp:117] PRBool nsStr::EnsureCapacity(nsStr& aString,PRUint32 aNewLength) { PRBool result=PR_TRUE; if(aNewLength>aString.mCapacity) { => result=Realloc(aString,aNewLength); if(aString.mStr) AddNullTerminator(aString); } nsCString::SetCapacity(UINT) [nsString.cpp:200] if ( aNewCapacity ) { if( aNewCapacity > mCapacity ) => GrowCapacity(*this,aNewCapacity); AddNullTerminator(*this); } else nsACString::do_AppendFromElementPtr(char const*) [nsAString.cpp:887] void nsACString::do_AppendFromElementPtr( const char_type* aPtr ) { => do_AppendFromReadable(nsDependentCString(aPtr)); } void nsStandardURL::SetPath(char const*) [nsStandardURL.cpp:1023] mSpec.Append('/'); mPath.mLen++; } => mSpec.Append(path); } // and finally, parse the new path nsStandardURL::SetFileName(char const*) [nsStandardURL.cpp:1400] LOG(("nsStandardURL::SetFileName [filename=%s]\n", filename)); if (mPath.mLen < 0) => return SetPath(filename); if (!(filename && *filename)) { // remove the filename nsMsgComposeAndSend::AddCompFieldLocalAttachments(void) [nsMsgSend.cpp:2128] if (fileUrl) { //First try using the real file name => rv = fileUrl->SetFileName(m_attachments[newLoc].m_real_name); if (NS_SUCCEEDED(rv)) { rv = fileUrl->GetFileExtension(getter_Copies(fileExt)); nsMsgComposeAndSend::HackAttachments(nsMsgAttachmentData const*,nsMsgAttachedFile const*) [nsMsgSend.cpp:2342] // // First, we need to attach the files that are defined in the comp fields... => if (NS_FAILED(AddCompFieldLocalAttachments())) return NS_ERROR_INVALID_ARG; // Now handle the preloaded attachments... nsMsgComposeAndSend::Init(nsIMsgIdentity *,nsMsgCompFields *,nsFileSpec *,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,char const*) [nsMsgSend.cpp:2949] mSmtpPassword = password; => return HackAttachments(attachments, preloaded_attachments); } nsresult nsMsgComposeAndSend::CreateAndSendMessage(nsIEditorShell *,nsIMsgIdentity *,nsIMsgCompFields *,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,void *,nsIDOMWindowInternal *,nsIMsgProgress *,nsIMs [nsMsgSend.cpp:3699] attachment1 [details] [diff] [review]_type, attachment1 [details] [diff] [review]_body, attachment1 [details] [diff] [review]_body_length, attachments, preloaded_attachments, => password); if (NS_FAILED(rv) && mSendReport) mSendReport->SetError(nsIMsgSendReport::process_Current, rv, PR_FALSE); nsMsgCompose::_SendMsg(int,nsIMsgIdentity *,int) [nsMsgCompose.cpp:874] m_window, // nsIDOMWindowInternal *parentWindow; mProgress, // nsIMsgProgress *progress, sendListener, // listener => mSmtpPassword.get()); // Cleanup converted body... if (newBody) nsMsgCompose::SendMsg(int,nsIMsgIdentity *,nsIMsgProgress *) [nsMsgCompose.cpp:980] mProgress->OnStateChange(nsnull, nsnull, nsIWebProgressListener::STATE_START, 0); } => rv = _SendMsg(deliverMode, identity, entityConversionDone); if (NS_FAILED(rv)) { nsCOMPtr<nsIMsgSendReport> sendReport; XPTC_InvokeByIndex [xptcinvoke.cpp:152] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative) [xpcwrappednative.cpp:2009] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *) [xpcwrappednativejsops.cpp:1266] js_Invoke [jsinterp.c:832] js_Interpret [jsinterp.c:2791] js_Invoke [jsinterp.c:849]
I think this is darin's, and probably a dup of an existing bug.
I searched for it in bugzilla by stack, maybe an existing bug just doesn't have the right summary.
darin
Assignee: neeti → darin
*** This bug has been marked as a duplicate of 110884 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
good gravy, I filed this twice. sorry Darin! too many abrs, umrs, and leaks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.