10.2: InitWithNativePath crashes when given a path with an extremely long component

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
16 years ago
16 years ago

People

(Reporter: ccarlen, Assigned: ccarlen)

Tracking

({crash})

Trunk
PowerPC
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(4 attachments)

(Assignee)

Description

16 years ago
Bug 160006 and bug 159987 are both manifestations of this problem - combining
into this bug.
(Assignee)

Comment 1

16 years ago
*** Bug 160006 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 2

16 years ago
*** Bug 159987 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 3

16 years ago
Other test case: http://hopey.mcom.com/tests/security/buffer-overflow/a-value.html

For both, the file must be saved locally to see the crash.
This is happening only on 10.2 with the nsLocalFile impl used by Chimera.
The crash happens because ::CFURLGetFSRef crashes when fed such a path - new bug
in 10.2.
Status: NEW → ASSIGNED
Keywords: crash
Created attachment 97983 [details]
test file with file:/// protocol

thanks to sfraser for the testcase.
all you need to do to crash is click the link to attachment 97983 [details] --you don't
even have to download it locally. the change here is that "file:///" was
prepended to the src value.

going to come up with more tests to narrow this down...
Severity: normal → critical
(Assignee)

Comment 6

16 years ago
Created attachment 97994 [details] [diff] [review]
immediately rejects paths with are too long
more tests...

a. Where the IMG src value is in the format
file:///<400_alphanumeric_char>/blah.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol1.html

b. Where the IMG src value is in the format
file:///foopy/<396_alphanumeric_char>.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol2.html

c. Where the IMG src value is in the format
"file:///<400_alphanumeric_char>/<396_alphanumeric_char>.txt:
http://hopey.mcom.com/tests/security/buffer-overflow/img-fileProtocol3.html
none of the three tests in comment 9 crashed chimera (2002.09.05.05) on 10.2.

Comment 9

16 years ago
Comment on attachment 97994 [details] [diff] [review]
immediately rejects paths with are too long

r=sfraser
Attachment #97994 - Flags: review+
tested IE: none of the tests (comment 9 or the attachment) caused a crash.

tested OmniWeb: like chimera, the tests in comment 9 are fine, but the test
attachment resulted in a crash.
Created attachment 98007 [details]
test with 2048 char path

clicking on this will cause chimera to crash.
Created attachment 98009 [details]
2048 char path, where the 1024th char is /

similar to attachment 98007 [details], except that the 1024th character has been replaced
with / (forward slash). clicking this also crashes chimera.
side note: when the path was 1024-1030 char long, i did get a crash.
arrgh, typo. s/did/did NOT. 1024-1030 char path would not result in a crash.
(Assignee)

Comment 15

16 years ago
Fixed - works against the latest two test cases (whew - which were being posted
as I was checking in fix)
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.