Closed
Bug 121521
Opened 23 years ago
Closed 23 years ago
ABR doing 'File->Open...' to open a file from disk
Categories
(Core :: Networking: File, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla0.9.9
People
(Reporter: jrgmorrison, Assigned: darin.moz)
Details
Attachments
(2 files)
|
3.26 KB,
text/plain
|
Details | |
|
1.62 KB,
patch
|
jrgmorrison
:
review+
mscott
:
superreview+
|
Details | Diff | Splinter Review |
ABR doing 'File->Open...' to open a file from disk
Steps to Reproduce:
1) Start Mozilla and do 'File->Open...'
2) When the native win32 filepicker comes up, select a disk file
(text or html; doesn't matter) and click on 'Open' button
Actual Results:
[E] ABR: Array bounds read in memchr {1 occurrences}
See attached Purify details
|
Reporter | |
Comment 1•23 years ago
|
||
|
Assignee | |
Comment 2•23 years ago
|
||
this is a crash waiting to happen... jrgm: thx for locating this one.
Severity: normal → major
Status: NEW → ASSIGNED
Keywords: crash
Priority: -- → P2
Target Milestone: --- → mozilla0.9.9
|
||
Comment 3•23 years ago
|
||
Enlighten me please, first time I see a purify log. I don't get it, why do we
reach the array bounds in memchr?
|
|
Assignee | |
Comment 4•23 years ago
|
||
it must be the case that we are dereferencing memory that we do not own. one of
the parameters to memchr must be invalid.
|
|
Reporter | |
Comment 5•23 years ago
|
||
I put |printf("specLen: %d,\tspec: '%s'\n", specLen, spec);| in just before
the memchr. When I hit the "Open" button, all I see is (for 'H:\foo.txt'):
specLen: 12, spec: '//H:/foo.txt'
specLen: 2, spec: '//'
|
|
Reporter | |
Comment 6•23 years ago
|
||
Yawn. This happens when spec is '//' and specLen is 2. Essentially, Purify
is whining about this
const char *p = (const char *) memchr(ptr, '/', 0);
if ptr is '.get()' from a nsCAutoString. i.e., it's confused by the string-fu,
But it doesn't seem to be a real error. 'memchr' returns NULL anyways and the
use of p is nullchecked in the rest of the scope.
So, unless one of you has a concern about why we are parsing '//' for
additional parts, then you can just mark this INVALID, I suppose.
|
|
Assignee | |
Comment 7•23 years ago
|
||
yeah, let's not risk passing a junk pointer into memchr.
|
|
Assignee | |
Comment 8•23 years ago
|
||
andreas: can you r= this patch?
|
|
Assignee | |
Updated•23 years ago
|
|
||
Comment 9•23 years ago
|
||
Comment on attachment 67031 [details] [diff] [review]
v1.0 patch
sr=mscott
Attachment #67031 -
Flags: superreview+
|
|
Reporter | |
Comment 10•23 years ago
|
||
Comment on attachment 67031 [details] [diff] [review]
v1.0 patch
r=jrgm, if you want it :-)
Attachment #67031 -
Flags: review+
|
|
||
Comment 11•23 years ago
|
||
looks good to me too, r=andreas.otte@debitel.net
|
|
Assignee | |
Comment 12•23 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
||
Comment 13•23 years ago
|
||
darin:
can you mark verified as a "code fix"?
TIA
|
|
Assignee | |
Comment 14•23 years ago
|
||
v.
You need to log in
before you can comment on or make changes to this bug.
Description
•