Closed Bug 19984 Opened 26 years ago Closed 26 years ago

Purify UMR - in in nsStr::Compare1to1

Categories

(Core :: XPCOM, defect, P3)

Product:
Core
Component:
XPCOM
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: rpotts, Assigned: rickg)

Details

hey rick, I'm seeing a ton of purify errors involving nsStr::Compare1to1(...). It looks like the length being passed in is the length of the LARGER string, so memcpy() will read (at least) one byte past the end of the shorter string... -- rick here is the purify trace: ========================== [W] UMR: Uninitialized memory read in memcmp {28 occurrences} Reading 6 bytes from 0x0577c0bc (1 byte at 0x0577c0c1 uninitialized) Address 0x0577c0bc is argument #1 of memcmp Address 0x0577c0bc is 212 bytes into a 23832 byte block at 0x0577bfe8 Address 0x0577c0bc points to a C++ new block in heap 0x02c50000 Thread ID: 0xa3 Error location memcmp [memcmp.asm:60] Compare1To1(char const*,char const*,UINT,int) [bufferRoutines.h:403] PRInt32 result=0; if(aIgnoreCase) result=nsCRT::strncasecmp(aStr1,aStr2,aCount); => else result=memcmp(aStr1,aStr2,aCount); return result; } nsStr::Compare(nsStr const&,nsStr const&,int,int) [nsStr.cpp:614] PRInt32 maxlen=(aSource.mLength<aDest.mLength) ? aDest.mLength : aSource.mLength; aCount = (aCount<0) ? maxlen : MinInt(aCount,maxlen); => result=(*gCompare[aDest.mCharSize][aSource.mCharSize])(aDest.mStr,aSource.mStr,a Count,aIgnoreCase); } return result; } nsCString::Compare(nsStr const&,int,int)const [nsString.cpp:1500] EntityNameComparitor::()(void *,void *) [nsHTMLEntities.cpp:60] avlInsert [nsAVLTree.cpp:213] avlInsert [nsAVLTree.cpp:215] nsAVLTree::AddItem(void *) [nsAVLTree.cpp:476] nsHTMLEntities::AddRefTable(void) [nsHTMLEntities.cpp:114] nsParserModule::Initialize(void) [nsParserModule.cpp:179] Allocation location
Status: NEW → ASSIGNED
Target Milestone: M12
RickPotts rules. Thanks for the tip; I've got a fix in my tree.
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Fixed by using minlen instead of maxlen when doing comparisons.
Component: XP Utilities → String
Keywords: verifyme
QA Contact: rickg → jrgm
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
Component: String → XPCOM
You need to log in before you can comment on or make changes to this bug.