Closed
Bug 14427
Opened 25 years ago
Closed 25 years ago
memory overrun in PrepareUnicodeText
Categories
(Core :: Layout, defect, P3)
Tracking
()
VERIFIED
FIXED
M11
People
(Reporter: danm.moz, Assigned: buster)
References
()
Details
Note the URL above is Netscape-internal, only. content.unk is a little binary file with an extension unrecognized by that web server. Attempts to fetch it from apprunner corrupt the heap. Under a debugger, this shows up as an assertion while delete[] ing an array previously allocated with new[] . Purify confirms a memory overwrite at the nsCRT::memcpy() in PrepareUnicodeText. This is my first visit to this function, so I'm not quite sure how it's intended to work. It appears to be treating the contents of content.unk as displayable unicode. That's not completely unexpected though maybe the wisdom of that is a topic for another discussion. Anyway, it looks like this function is expanding the handful of 0x0009 characters that happen to be in that file into multiple spaces, and it's overrunning the destination buffer by 9 PRUnichars: just about exactly the extra space allocated for the tabs. Badness ensues. It would be not too difficult to tell PrepareUnicodeText about the length of its output buffer and teach it some manners, but I'm completely unsure of the side effects, and wonder whether the right solution isn't something much more difficult. So I fob this problem off on the module owner. (Say) Thanks, Troy!
Fixed. Nice catch. I found several other related issues and cleaned them all up. Hopefully purify will remain happy.
You need to log in
before you can comment on or make changes to this bug.
Description
•