Closed
Bug 176543
Opened 22 years ago
Closed 22 years ago
Malloc of 0 and bad initialization causes crash
Categories
(NSPR :: NSPR, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
4.3
People
(Reporter: mkaply, Assigned: wtc)
Details
Attachments
(1 file, 2 obsolete files)
923 bytes,
patch
|
mkaply
:
review+
roc
:
approval+
|
Details | Diff | Splinter Review |
We were trying to run an XPI that starts an app and got a crash in NSPR. Tracked it down to two issues. 1. We were failing on a malloc of 0. 2. We weren't initializing a variable, so the free was crashing. Diff attached.
Reporter | ||
Comment 1•22 years ago
|
||
Handle malloc of 0 and properly initialize newenvp
Assignee | ||
Comment 2•22 years ago
|
||
How can you have a command line size of 0? It seems that that should be treated as an error.
Reporter | ||
Comment 3•22 years ago
|
||
command line is the arguments passed to the application. In this case, it is simply invoking an application with no arguments.
Assignee | ||
Comment 4•22 years ago
|
||
Mike, I think you are using PR_CreateProcess incorrectly. By convention, the first argument in the argv array is the name of the application you want to invoke. So a command line size of 0 is an error. See the PR_CreateProcess documentation at http://www.mozilla.org/projects/nspr/reference/html/prprocess.html#24535. The second "hunk" of your patch is good though. It's just that the first "hunk" of your patch shows that you seem to be using PR_CreateProcess incorrectly and if commandLineSize is 0 (which will not happen under normal circumstances), we should return -1 (a failure), not 0.
Reporter | ||
Comment 5•22 years ago
|
||
The OS/2 function we call take the argv string directly. You pass argv[0] (the program name) in one place, and the rest of the arguments in another. The assembleCmdLine function is designed to take argv[1] and greater and create the parameters to pass to the application. for (arg = argv+1; *arg; arg++) { cmdLineSize += strlen(*arg) + 1; /* space in between, or final null */ } So if there are no arguments, this function will create a 0 length command line. The function is named poorly. It should be assembleParameters or something like that.
Assignee | ||
Comment 6•22 years ago
|
||
I didn't realize that. Thanks for the explanation. I think there is still something wrong with your patch. If there are no arguments, cmdLine will be NULL, as opposed to an empty string. It seems that cmdLine should be an empty string, which means you want cmdLineSize to be 1 (for the terminating null byte) if there are no arguments. So I think the fix should be something like: for (arg = argv+1; *arg; arg++) { cmdLineSize += strlen(*arg) + 1; /* space in between, or final null */ } + if (cmdLineSize == 0) { /* no arguments */ + cmdLineSize = 1; /* final null */ + } *cmdLine = PR_MALLOC(cmdLineSize); if (*cmdLine == NULL) { return -1;
Reporter | ||
Comment 7•22 years ago
|
||
Better patch per WTC. Add one to cndLine size so we always allocate at least one. This allows other code (like strlen(cmdLine)) to work.
Attachment #104000 -
Attachment is obsolete: true
Assignee | ||
Comment 8•22 years ago
|
||
I think it's clearer to initialize cmdLineSize to 1 instead of adding 1 to it.
Attachment #104403 -
Attachment is obsolete: true
Reporter | ||
Comment 9•22 years ago
|
||
Comment on attachment 104583 [details] [diff] [review] Better fix v3 Fine with me - r=mkaply
Attachment #104583 -
Flags: review+
Assignee | ||
Comment 10•22 years ago
|
||
Do you need this fix in Mozilla 1.2final?
Reporter | ||
Comment 11•22 years ago
|
||
If I can get it there, I would like it to.
Assignee | ||
Comment 12•22 years ago
|
||
If you get drivers' approval, I can check it in for Mozilla 1.2 final.
Comment on attachment 104583 [details] [diff] [review] Better fix v3 a=roc+moz for trunk
Attachment #104583 -
Flags: approval+
Assignee | ||
Comment 14•22 years ago
|
||
Patch checked into the trunk and NSPRPUB_PRE_4_2_CLIENT_BRANCH of NSPR.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.3
You need to log in
before you can comment on or make changes to this bug.
Description
•