Closed Bug 14427 Opened 25 years ago Closed 25 years ago

memory overrun in PrepareUnicodeText

Categories

(Core :: Layout, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: danm.moz, Assigned: buster)

References

()

Details

Note the URL above is Netscape-internal, only.

content.unk is a little binary file with an extension unrecognized by that web server.  Attempts
to fetch it from apprunner corrupt the heap.  Under a debugger, this shows up as an assertion
while delete[] ing an array previously allocated with new[] .  Purify confirms a memory overwrite
at the nsCRT::memcpy() in PrepareUnicodeText.

This is my first visit to this function, so I'm not quite sure how it's intended to work.  It appears
to be treating the contents of content.unk as displayable unicode.  That's not completely unexpected
though maybe the wisdom of that is a topic for another discussion.  Anyway, it looks like this
function is expanding the handful of 0x0009 characters that happen to be in that file into
multiple spaces, and it's overrunning the destination buffer by 9 PRUnichars: just about exactly
the extra space allocated for the tabs.  Badness ensues.

It would be not too difficult to tell PrepareUnicodeText about the length of its output buffer
and teach it some manners, but I'm completely unsure of the side effects, and wonder whether
the right solution isn't something much more difficult.  So I fob this problem off on the module
owner.  (Say) Thanks, Troy!
Assignee: troy → kipp
Kipp, looking at the CVS logs this looks like you
Blocks: 14041
Status: NEW → ASSIGNED
Target Milestone: M11
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fixed. Nice catch. I found several other related issues and cleaned them all up.
Hopefully purify will remain happy.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.