Closed
Bug 265067
Opened 20 years ago
Closed 19 years ago
potential heap overflow found by mangler.cgi
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: guninski, Unassigned)
References
Details
(Keywords: fixed-aviary1.0.1, Whiteboard: Linux only, OK on trunk)
Attachments
(1 file)
129.19 KB,
text/html
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10 after running mangler.cgi for some time, a crash which looks like heap overflow was found in firefox (don't have debug version of firefox and mozilla seems not affected). will attach the testcase. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1085497312 (LWP 13323)] 0x4095d51c in mallopt () from /lib/tls/libc.so.6 (gdb) x/i $eip 0x4095d51c <mallopt+28>: call 0x408fd78f (gdb) info stack #0 0x4095d51c in mallopt () from /lib/tls/libc.so.6 #1 0x4095e1c5 in mallopt () from /lib/tls/libc.so.6 #2 0x4095ba13 in realloc () from /lib/tls/libc.so.6 #3 0x4054c313 in g_realloc () from /usr/lib/libglib-2.0.so.0 Reproducible: Always Steps to Reproduce: check the testcase. Actual Results: crash Expected Results: no crash
Reporter | ||
Comment 1•20 years ago
|
||
Comment 2•20 years ago
|
||
confirming
Assignee: general → nobody
Blocks: Zalewski
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
QA Contact: general → core.layout
Doesn't crash for me (Linux).
Comment 4•20 years ago
|
||
This no longer crashes for me on Windows with the 1.0 release. Can we chalk this up to a dupe of one of the other mangler bugs that got fixed? Georgi, can you still reproduce this?
Whiteboard: dupe of another mangler bug that was fixed?
Reporter | ||
Comment 5•20 years ago
|
||
crashes firefox 1.0 release on linux for me.
Reporter | ||
Comment 6•20 years ago
|
||
nightly Gecko/20050107 on linux does NOT crash.
Reporter | ||
Comment 8•20 years ago
|
||
Still CRASHES: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050213 Firefox/1.0 (downloaded from latest-aviary1.0.1/ ) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1086063520 (LWP 5648)] 0x409c047c in mallopt () from /lib/tls/libc.so.6 (gdb) info stack #0 0x409c047c in mallopt () from /lib/tls/libc.so.6 #1 0x409beaf9 in malloc () from /lib/tls/libc.so.6 #2 0x405c4067 in g_malloc () from /usr/lib/libglib-2.0.so.0 #3 0x00000020 in ?? () #4 0x00000000 in ?? () #5 0x00000000 in ?? () #6 0x00000000 in ?? () #7 0x00000000 in ?? () #8 0x404d8f98 in ?? () from /usr/lib/libgdk-x11-2.0.so.0 #9 0x0902ef08 in ?? () #10 0x4048e648 in gdk_region_offset () from /usr/lib/libgdk-x11-2.0.so.0 #11 0x00000010 in ?? () #12 0xbf8000dc in ?? () #13 0x409beaf9 in malloc () from /lib/tls/libc.so.6 Previous frame inner to this frame (corrupt stack?) Does NOT crash on: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050107 Firefox/1.0+
Comment 9•20 years ago
|
||
It looks like this got fixed on trunk between 2004-10-11-08 and 2004-10-12-08. Bonsai URL: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-10-11+05%3A00%3A00&maxdate=2004-10-12+08%3A00%3A00&cvsroot=%2Fcvsroot Nothing obvious jumps out at me.
Comment 10•20 years ago
|
||
Roc's changes for bug 238493 have a linux-only component. Is FF built using gtk2? Or maybe your fix for bug 263569 changed the memory allocation pattern enough to sidestep some landmine in libc? You're right, if that's the real fix window there's nothing obvious.
Whiteboard: dupe of another mangler bug that was fixed? → Linux only, OK on trunk
Comment 11•20 years ago
|
||
FF is built with GTK2, but that fix window is using GTK1 SeaMonkey trunk nightlies.
Reporter | ||
Comment 12•19 years ago
|
||
since it is not worth fixing in 1.0.1 for linux removing security flag.
Group: security
Reporter | ||
Comment 13•19 years ago
|
||
probably this is invalid and the problem is in my box. does not crash on another box with ff 1.0.1
Reporter | ||
Comment 14•19 years ago
|
||
does not crash on firefox 1.0.1 built from source.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Keywords: fixed-aviary1.0.1
Comment 15•19 years ago
|
||
Nothing was checked, no bug / patch mentioned as the fix. -> WORKSFORME
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•19 years ago
|
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•