Closed Bug 195635 Opened 22 years ago Closed 22 years ago

valgrind doesn't like Xprint (invalid reads in XpuParseMediumSourceSize)

Categories

(Core Graveyard :: Printing: Xprint, defect)

Product:
Core Graveyard
Component:
Printing: Xprint
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.4alpha

People

(Reporter: ajschult784, Assigned: roland.mainz)

Details

(Keywords: valgrind)

Attachments

(1 file, 2 obsolete files)

New patch for 2003-03-11-08-trunk
1.19 KB, patch
ajschult784
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
If I run Mozilla under valgrind and try to do any printing (just bring up the print dialog), valgrind complains a lot. There actually appear to be two problems. The first is that for this line: num_input_items = sscanf(d, "%s %f %f %f %f",...); valgrind reports that sscanf is reading beyond the bounds of |d|. Printing it with printf, it sometimes looks ok, but often appears to be not null-terminated: "false 6.3500 209.5500 6.3500 273.0500}ܱqB" "false 6.3500 721.6500 6.3500 1023.6500}MONETARY=en_US;LC_MESSAGES=en_US;LC_PAPER=en_US;LC_NAME=en_US;Y`" the second problem is that valgrind reports that when the locale is set back to its original value, that the string had already been freed: cur_locale = setlocale(LC_NUMERIC, NULL); setlocale(LC_NUMERIC, "C"); <== this frees cur_locale num_input_items = sscanf(...); setlocale(LC_NUMERIC, cur_locale); strcpy'ing ought to fix the second issue.
Assigned to Roland.
Assignee: katakai → Roland.Mainz
QA Contact: Roland.Mainz → katakai
Status: NEW → ASSIGNED
Summary: valgrind doesn't like XPrint (invalid reads in XpuParseMediumSourceSize) → valgrind doesn't like Xprint (invalid reads in XpuParseMediumSourceSize)
Target Milestone: --- → mozilla1.4alpha
The patch fixes the (more serious) 2nd issue of the bug. The first one is little bit harder to fix (it looks like |XpuEnumerateXpAttributeValue| screams for a re-write - however the only clean fix for it would be to import the xrm sources from the X.org tree (which is likely impossible with mozilla.org's current policy about importing non-mozilla libraries (or even small parts of them) into the mozilla/-tree... ;-( ))
Slightly better patch, fixing the 2nd issue and (maybe) the 1st one, too...
Attachment #117434 - Attachment is obsolete: true
Comment on attachment 117437 [details] [diff] [review] Better patch for 2003-03-11-08-trunk to catch both issues Requesting r= ...
Attachment #117437 - Flags: review?(ajschult)
Comment on attachment 117437 [details] [diff] [review] Better patch for 2003-03-11-08-trunk to catch both issues couldn't you just null-terminate |name| after the value=>name copy loop? 662 s++; 663 } 664 while(*s); +++ *d = '\0'; 665 666 /* seperate medium name from string */ 667 d = (char *)search_next_space(name); sscanf should null-terminate the |boolbuf| half of |name| for you.
Andrew Schultz wrote: > (From update of attachment 117437 [details] [diff] [review]) > couldn't you just null-terminate |name| after the value=>name copy loop? Does that fix "valgrind"'s complaints ?
> Does that fix "valgrind"'s complaints ? yes, valgrind liked patch1 + comment 5. I was initially confused by the triplicity of |name|. |medium_name| and |boolbuf| were already being null-terminated. it was only the |d| part that was unterminated, and that can/should be done after the copy loop. isn't the if statement at the top of the function mostly backwards? - if( value && value[0]!='{' && value[0]!='\0' ) + if ( !value || value[0]!='{' ) return(False); I was trying to consider what sort of edge cases might cause trouble for |name|
Attachment #117437 - Attachment is obsolete: true
Andrew Schultz wrote: > isn't the if statement at the top of the function mostly backwards? > > - if( value && value[0]!='{' && value[0]!='\0' ) > + if ( !value || value[0]!='{' ) > return(False); Good question. The change looks OK, however I prefer to not change that now because I would have to run the whole testsuite against that change to ensure that I don't produce a new problem if something goes wrong.
Attachment #117437 - Flags: review?(ajschult) → review?
Comment on attachment 117679 [details] [diff] [review] New patch for 2003-03-11-08-trunk Requesting r= ...
Attachment #117679 - Flags: review?(ajschult)
Attachment #117437 - Flags: review?
> The change looks OK, however I prefer to not change that now > because I would have to run the whole testsuite against that change to ensure > that I don't produce a new problem if something goes wrong. well, for instance, passing in a NULL |value| will *always* crash (at strlen(value)) and the "if" lets it through explicitly (so returning on a NULL |value| can't break anything). Passing a valid pointer to NULL (which is also explicitly allowed) would do very bad things (possibly crash) because the while(*s) will be looking at the 2nd element, whose value could be random. The while loop would continue reading random memory and writing into unallocated space (value_len=0, sizeof(name)=4) until it gets lucky and hits a NULL byte.
Comment on attachment 117679 [details] [diff] [review] New patch for 2003-03-11-08-trunk r=ajschult
Attachment #117679 - Flags: review?(ajschult) → review+
Comment on attachment 117679 [details] [diff] [review] New patch for 2003-03-11-08-trunk Requesting sr= ...
Attachment #117679 - Flags: superreview?(bzbarsky)
Attachment #117679 - Flags: superreview?(bzbarsky) → superreview+
Patch checked-in by timeless (http://bonsai.mozilla.org/cvsquery.cgi?module=MozillaTinderboxAll&branch=HEAD&cvsroot=/cvsroot&date=explicit&mindate=1048129200&maxdate=1048129380&who=timeless%25mozdev.org), marking bug as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Keywords: valgrind
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: