Closed Bug 265067 Opened 20 years ago Closed 19 years ago

potential heap overflow found by mangler.cgi

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: guninski, Unassigned)

References

Details

(Keywords: fixed-aviary1.0.1, Whiteboard: Linux only, OK on trunk)

Attachments

(1 file)

crash in mallopt
129.19 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10

after running mangler.cgi for some time, a crash which looks like heap overflow
was found in firefox (don't have debug version of firefox and mozilla seems not
affected).

will attach the testcase.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085497312 (LWP 13323)]
0x4095d51c in mallopt () from /lib/tls/libc.so.6
(gdb) x/i $eip
0x4095d51c <mallopt+28>:        call   0x408fd78f
(gdb) info stack
#0  0x4095d51c in mallopt () from /lib/tls/libc.so.6
#1  0x4095e1c5 in mallopt () from /lib/tls/libc.so.6
#2  0x4095ba13 in realloc () from /lib/tls/libc.so.6
#3  0x4054c313 in g_realloc () from /usr/lib/libglib-2.0.so.0


Reproducible: Always
Steps to Reproduce:
check the testcase.

Actual Results:  
crash

Expected Results:  
no crash
confirming
Assignee: general → nobody
Blocks: Zalewski
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
QA Contact: general → core.layout
This no longer crashes for me on Windows with the 1.0 release. Can we chalk this
up to a dupe of one of the other mangler bugs that got fixed? Georgi, can you
still reproduce this?
Whiteboard: dupe of another mangler bug that was fixed?
crashes firefox 1.0 release on linux for me.
nightly Gecko/20050107 on linux does NOT crash.
Georgi could you test a recent aviary 1.0.1 build, wfm on windows.
Still CRASHES: 
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050213 Firefox/1.0
(downloaded from latest-aviary1.0.1/ )
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1086063520 (LWP 5648)]
0x409c047c in mallopt () from /lib/tls/libc.so.6
(gdb) info stack
#0  0x409c047c in mallopt () from /lib/tls/libc.so.6
#1  0x409beaf9 in malloc () from /lib/tls/libc.so.6
#2  0x405c4067 in g_malloc () from /usr/lib/libglib-2.0.so.0
#3  0x00000020 in ?? ()
#4  0x00000000 in ?? ()
#5  0x00000000 in ?? ()
#6  0x00000000 in ?? ()
#7  0x00000000 in ?? ()
#8  0x404d8f98 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#9  0x0902ef08 in ?? ()
#10 0x4048e648 in gdk_region_offset () from /usr/lib/libgdk-x11-2.0.so.0
#11 0x00000010 in ?? ()
#12 0xbf8000dc in ?? ()
#13 0x409beaf9 in malloc () from /lib/tls/libc.so.6
Previous frame inner to this frame (corrupt stack?)



Does NOT crash on:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050107 Firefox/1.0+

Roc's changes for bug 238493 have a linux-only component. Is FF built using gtk2?

Or maybe your fix for bug 263569 changed the memory allocation pattern enough to
sidestep some landmine in libc? You're right, if that's the real fix window
there's nothing obvious.
Whiteboard: dupe of another mangler bug that was fixed? → Linux only, OK on trunk
FF is built with GTK2, but that fix window is using GTK1 SeaMonkey trunk nightlies.


since it is not worth fixing in 1.0.1 for linux removing security flag.
Group: security
probably this is invalid and the problem is in my box.

does not crash on another box with ff 1.0.1

does not crash on firefox 1.0.1 built from source.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Nothing was checked, no bug / patch mentioned as the fix.

-> WORKSFORME
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: