Closed Bug 161634 Opened 22 years ago Closed 22 years ago

[ps] envvar should not be freed after PR_SetEnv

Categories

(Core :: Printing: Output, defect)

Product:
Core
Component:
Printing: Output
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.2alpha

People

(Reporter: ajschult784, Assigned: roland.mainz)

References

Details

(Keywords: fixedOEM)

Attachments

(3 files, 2 obsolete files)

New patch for 2002-08-04-08-trunk
2.07 KB, patch
dcone
: review+
Details | Diff | Splinter Review
same as previous one, using diff -u
2.31 KB, patch
bzbarsky
: superreview+
Details | Diff | Splinter Review
final patch(r=dcone, sr=bzbarsky)
2.32 KB, patch
jesup
: review+
jesup
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
this is a regression from bug 84947 http://lxr.mozilla.org/mozilla/source/gfx/src/ps/nsPostScriptObj.cpp#381 381 PR_SetEnv(envvar); 382 free(envvar); this is bad. Linux seems to copy by reference instead of copying the data. From prenv.h: ** The caller must ensure that the string passed ** to PR_SetEnv() is persistent. That is: The string should ** not be on the stack, where it can be overwritten ** on return from the function calling PR_SetEnv(). ** Similarly, the string passed to PR_SetEnv() must not be ** overwritten by other actions of the process. ... Some ** platforms use the string by reference rather than copying ** it into the environment space. ... You have been warned!
I'd say this is more like critical... this is a crash or security problem waiting to happen.
Severity: normal → critical
PR_SetEnv is sitting on top of putenv on unix and the putenv semantics require that a name=value string be used as is. The address is put into the new environment but the string itself is *not* copied. It's used as is. A wonderful way to leak memory and cause crashes. Maybe this is actually a nspr bug, nsprpub/pr/include/prenv.h says NSPR_API(PRStatus) PR_SetEnv(const char *string); but, if you build mozilla with enough warnings turned on, you'll get a message about the function discarding 'const'. A big hint if anyone ever looks at warnings.
Nice catch... :) ... accepting bug.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.2alpha
*** Bug 143480 has been marked as a duplicate of this bug. ***
Summary: envvar should not be freed after PR_SetEnv → [ps] envvar should not be freed after PR_SetEnv
*** Bug 136146 has been marked as a duplicate of this bug. ***
Attached patch Patch for 2002-08-04-08-trunk (obsolete) — Splinter Review
I replaced the dynamically allocated buffer with a |static| buffer - this should be sufficient to fix the problem.
Keywords: patch, review
The first patch does only work the first time we print, any following print session doesn't work since we're writing to memory which is still linked to the env var pool... - this new patch should fix that (in theory) ...
Attachment #94581 - Attachment is obsolete: true
dcone, syd can you r=
Comment on attachment 94588 [details] [diff] [review] New patch for 2002-08-04-08-trunk r=dcone
Attachment #94588 - Flags: review+
Comment on attachment 94588 [details] [diff] [review] New patch for 2002-08-04-08-trunk >+ PR_SetEnv("MOZ_PRINTER_NAME=dummy_value_to_make_putenv_happy"); >+ > sprintf(envvar, "MOZ_PRINTER_NAME=%s", printername); That needs to become an snprintf so we don't write outside our buffer, no?
Attachment #94588 - Flags: needs-work+
Attached patch new patch (obsolete) — Splinter Review
using snprintf instead sprintf for safty
Attachment #95345 - Attachment is obsolete: true
Comment on attachment 95354 [details] [diff] [review] same as previous one, using diff -u > nchars > ARG_MAX that should be '>=', not '>' (since if your string is ARG_MAX chars it will get truncated by one char and ARG_MAX will be the return value with recent libc versions). sr=bzbarsky with that change.
Attachment #95354 - Flags: superreview+
actaully, as Louie just noticed, that should not be "return sprintf". And the temporary should be PRInt32, not "int".
checked in trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: branchOEM
Whiteboard: branchOEM → branchOEM+
checked in NETSCAPE_7_0_OEM_BRANCH (a=jdunn)
Whiteboard: branchOEM+ → branchOEM+ fixedOEM
Keywords: review
Whiteboard: branchOEM+ fixedOEM → fixedOEM
*** Bug 134914 has been marked as a duplicate of this bug. ***
Blocks: 168057
Nominating for 1.0.2-branch...
Keywords: mozilla1.0.2
Comment on attachment 95361 [details] [diff] [review] final patch(r=dcone, sr=bzbarsky) Marking the r/sr. a=rjesup@wgate.com for 1.0 branch. you know the drill
Attachment #95361 - Flags: superreview+
Attachment #95361 - Flags: review+
Attachment #95361 - Flags: approval+
Keywords: fixedOEM
Whiteboard: fixedOEM
*** Bug 172726 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: