Array bounds read in nsBaseURLParser::ParsePath

VERIFIED DUPLICATE of bug 110884

Status

()

--
critical
VERIFIED DUPLICATE of bug 110884
17 years ago
17 years ago

People

(Reporter: stephend, Assigned: darin.moz)

Tracking

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Build ID: Latest Win32 trunk CVS pull, Windows 2000 (Running Purify)

Steps to Reproduce:

1.  mozilla.exe -compose (HTML)
2.  in the addressing widget, type, 'stephend@netscape.com'.
3.  click on the attachment area, and attach a plain text document.
4.  type 'foobar' in the message body.
5.  hit send.
6.  OK the 'no subject' dialog.
7.  exit.

[E] ABR: Array bounds read in nsBaseURLParser::ParsePath(char const*,int,UINT 
*,int *,UINT *,int *,UINT *,int *,UINT *,int *) {1 occurrence}
    Reading 1 byte from 0x094fa13f (1 byte at 0x094fa13f illegal)
    Address 0x094fa13f is 1 byte before the beginning of a 17 byte block at 
0x094fa140
    Address 0x094fa13f points to a malloc'd block in heap 0x02920000
    Thread ID: 0x194
    Error location
    nsBaseURLParser::ParsePath(char const*,int,UINT *,int *,UINT *,int *,UINT 
*,int *,UINT *,int *) [nsURLParsers.cpp:255]
        const char *query_beg = 0, *query_end = 0;
        const char *ref_beg = 0;
        const char *p = 0;
 =>     for (p = path; *p; ++p) {
            // only match the query string if it precedes the reference fragment
            if (!ref_beg && !query_beg && *p == '?')
                query_beg = p + 1;
    nsStandardURL::ParsePath(char const*,UINT,int) [nsStandardURL.cpp:487]
                                         &mFilePath.mPos, &mFilePath.mLen,
                                         &mParam.mPos, &mParam.mLen,
                                         &mQuery.mPos, &mQuery.mLen,
 =>                                      &mRef.mPos, &mRef.mLen);
        if (NS_FAILED(rv)) return rv;
    
        mFilePath.mPos += pathPos;
    nsStandardURL::SetPath(char const*) [nsStandardURL.cpp:1027]
            }
    
            // and finally, parse the new path
 =>         ParsePath(mSpec.get(), mPath.mPos, -1);
        }
        else if (mPath.mLen > 1) {
            mSpec.Cut(mPath.mPos + 1, mPath.mLen - 1);
    nsStandardURL::SetFileName(char const*) [nsStandardURL.cpp:1400]
        LOG(("nsStandardURL::SetFileName [filename=%s]\n", filename));
    
        if (mPath.mLen < 0)
 =>         return SetPath(filename);
    
        if (!(filename && *filename)) {
            // remove the filename
    nsMsgComposeAndSend::AddCompFieldLocalAttachments(void) [nsMsgSend.cpp:2128]
                if (fileUrl)
                {
                  //First try using the real file name
 =>               rv = fileUrl->SetFileName(m_attachments[newLoc].m_real_name);
                  if (NS_SUCCEEDED(rv))
                  {
                    rv = fileUrl->GetFileExtension(getter_Copies(fileExt));
    nsMsgComposeAndSend::HackAttachments(nsMsgAttachmentData 
const*,nsMsgAttachedFile const*) [nsMsgSend.cpp:2342]
    
      //
      // First, we need to attach the files that are defined in the comp 
fields...
 =>   if (NS_FAILED(AddCompFieldLocalAttachments()))
        return NS_ERROR_INVALID_ARG;
    
      // Now handle the preloaded attachments...
    nsMsgComposeAndSend::Init(nsIMsgIdentity *,nsMsgCompFields *,nsFileSpec 
*,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData 
const*,nsMsgAttachedFile const*,char const*) [nsMsgSend.cpp:2949]
    
      mSmtpPassword = password;
    
 =>   return HackAttachments(attachments, preloaded_attachments);
    }
    
    nsresult
    nsMsgComposeAndSend::CreateAndSendMessage(nsIEditorShell *,nsIMsgIdentity 
*,nsIMsgCompFields *,int,int,int,nsIMsgDBHdr *,char const*,char 
const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,void 
*,nsIDOMWindowInternal *,nsIMsgProgress *,nsIMs [nsMsgSend.cpp:3699]
              attachment1 [details] [diff] [review]_type, attachment1 [details] [diff] [review]_body,
              attachment1 [details] [diff] [review]_body_length,
              attachments, preloaded_attachments,
 =>           password);
    
      if (NS_FAILED(rv) && mSendReport)
        mSendReport->SetError(nsIMsgSendReport::process_Current, rv, PR_FALSE);
    nsMsgCompose::_SendMsg(int,nsIMsgIdentity *,int) [nsMsgCompose.cpp:874]
                        m_window,                           // 
nsIDOMWindowInternal              *parentWindow;
                        mProgress,                          // 
nsIMsgProgress                    *progress,
                        sendListener,                       // listener
 =>                     mSmtpPassword.get());
    
          // Cleanup converted body...
          if (newBody)
    nsMsgCompose::SendMsg(int,nsIMsgIdentity *,nsIMsgProgress *) 
[nsMsgCompose.cpp:980]
        mProgress->OnStateChange(nsnull, nsnull, 
nsIWebProgressListener::STATE_START, 0);
      }
    
 =>   rv = _SendMsg(deliverMode, identity, entityConversionDone);
      if (NS_FAILED(rv))
      {
        nsCOMPtr<nsIMsgSendReport> sendReport;
    Allocation location
    malloc         [msvcrt.DLL]
    PR_Malloc      [prmem.c:50]
    nsMemory::Alloc(UINT) [nsMemoryImpl.cpp:556]
        if (gMemory == nsnull) {
            EnsureGlobalMemoryService();
        }
 =>     return gMemory->Alloc(size);
    }
    
    NS_EXPORT void*
    nsStr::EnsureCapacity(nsStr&,UINT) [nsStr.cpp:117]
    PRBool nsStr::EnsureCapacity(nsStr& aString,PRUint32 aNewLength) {
      PRBool result=PR_TRUE;
      if(aNewLength>aString.mCapacity) {
 =>     result=Realloc(aString,aNewLength);
        if(aString.mStr)
          AddNullTerminator(aString);
      }
    nsCString::SetCapacity(UINT) [nsString.cpp:200]
        if ( aNewCapacity )
          {
            if( aNewCapacity > mCapacity )
 =>           GrowCapacity(*this,aNewCapacity);
            AddNullTerminator(*this);
          }
        else
    nsACString::do_AppendFromElementPtr(char const*) [nsAString.cpp:887]
    void
    nsACString::do_AppendFromElementPtr( const char_type* aPtr )
      {
 =>     do_AppendFromReadable(nsDependentCString(aPtr));
      }
    
    void
    nsStandardURL::SetPath(char const*) [nsStandardURL.cpp:1023]
                    mSpec.Append('/');
                    mPath.mLen++;
                }
 =>             mSpec.Append(path);
            }
    
            // and finally, parse the new path
    nsStandardURL::SetFileName(char const*) [nsStandardURL.cpp:1400]
        LOG(("nsStandardURL::SetFileName [filename=%s]\n", filename));
    
        if (mPath.mLen < 0)
 =>         return SetPath(filename);
    
        if (!(filename && *filename)) {
            // remove the filename
    nsMsgComposeAndSend::AddCompFieldLocalAttachments(void) [nsMsgSend.cpp:2128]
                if (fileUrl)
                {
                  //First try using the real file name
 =>               rv = fileUrl->SetFileName(m_attachments[newLoc].m_real_name);
                  if (NS_SUCCEEDED(rv))
                  {
                    rv = fileUrl->GetFileExtension(getter_Copies(fileExt));
    nsMsgComposeAndSend::HackAttachments(nsMsgAttachmentData 
const*,nsMsgAttachedFile const*) [nsMsgSend.cpp:2342]
    
      //
      // First, we need to attach the files that are defined in the comp 
fields...
 =>   if (NS_FAILED(AddCompFieldLocalAttachments()))
        return NS_ERROR_INVALID_ARG;
    
      // Now handle the preloaded attachments...
    nsMsgComposeAndSend::Init(nsIMsgIdentity *,nsMsgCompFields *,nsFileSpec 
*,int,int,int,nsIMsgDBHdr *,char const*,char const*,UINT,nsMsgAttachmentData 
const*,nsMsgAttachedFile const*,char const*) [nsMsgSend.cpp:2949]
    
      mSmtpPassword = password;
    
 =>   return HackAttachments(attachments, preloaded_attachments);
    }
    
    nsresult
    nsMsgComposeAndSend::CreateAndSendMessage(nsIEditorShell *,nsIMsgIdentity 
*,nsIMsgCompFields *,int,int,int,nsIMsgDBHdr *,char const*,char 
const*,UINT,nsMsgAttachmentData const*,nsMsgAttachedFile const*,void 
*,nsIDOMWindowInternal *,nsIMsgProgress *,nsIMs [nsMsgSend.cpp:3699]
              attachment1 [details] [diff] [review]_type, attachment1 [details] [diff] [review]_body,
              attachment1 [details] [diff] [review]_body_length,
              attachments, preloaded_attachments,
     =>           password);
        
          if (NS_FAILED(rv) && mSendReport)
            mSendReport->SetError(nsIMsgSendReport::process_Current, rv, 
PR_FALSE);
    nsMsgCompose::_SendMsg(int,nsIMsgIdentity *,int) [nsMsgCompose.cpp:874]
                            m_window,                           // 
nsIDOMWindowInternal              *parentWindow;
                            mProgress,                          // 
nsIMsgProgress                    *progress,
                            sendListener,                       // listener
     =>                     mSmtpPassword.get());
        
              // Cleanup converted body...
              if (newBody)
    nsMsgCompose::SendMsg(int,nsIMsgIdentity *,nsIMsgProgress *) 
[nsMsgCompose.cpp:980]
            mProgress->OnStateChange(nsnull, nsnull, 
nsIWebProgressListener::STATE_START, 0);
          }
        
     =>   rv = _SendMsg(deliverMode, identity, entityConversionDone);
          if (NS_FAILED(rv))
          {
            nsCOMPtr<nsIMsgSendReport> sendReport;
    XPTC_InvokeByIndex [xptcinvoke.cpp:152]
    XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative) 
[xpcwrappednative.cpp:2009]
    XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *) 
[xpcwrappednativejsops.cpp:1266]
    js_Invoke      [jsinterp.c:832]
    js_Interpret   [jsinterp.c:2791]
    js_Invoke      [jsinterp.c:849]
Keywords: mailtrack, nsbeta1

Comment 1

17 years ago
I think this is darin's, and probably a dup of an existing bug.
I searched for it in bugzilla by stack, maybe an existing bug just doesn't have 
the right summary.

Comment 3

17 years ago
darin
Assignee: neeti → darin
(Assignee)

Comment 4

17 years ago

*** This bug has been marked as a duplicate of 110884 ***
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
good gravy, I filed this twice.  sorry Darin!  too many abrs, umrs, and leaks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.