Crash when loading urls greater than 100 characters

VERIFIED FIXED

Status

()

Core
Networking
P3
normal
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: Scott MacGregor, Assigned: Scott MacGregor)

Tracking

({crash, regression})

Trunk
x86
Other
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

18 years ago
In a mozilla win32 build from this morning. If I try to click on a bookmark for
a bugzilla query I have, I crash with the following stack trace:

nsURLEscape(const char * 0x0484d340, short 256, nsCString & {...}) line 108 + 3
bytes
nsAppendURLEscapedString(nsCString & {...}, const char * 0x0484d340, short 256)
line 117 + 18 bytes
nsStdURL::AppendString(nsCString & {...}, char * 0x0484d340, nsStdURL::Format
ESCAPED, short 256) line 290 + 18 bytes
nsStdURL::GetPath(nsStdURL * const 0x048db190, char * * 0x0012d690) line 780 +
26 bytes
nsStdURL::GetSpec(nsStdURL * const 0x048db190, char * * 0x0012d76c) line 373 +
16 bytes
LocationImpl::SetHrefWithBase(const nsString &
{"http://bugzilla.mozilla.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=mscott%40netscape.com&em"},
nsIURI * 0x04042ed0, int 1) line 377 + 42 bytes
LocationImpl::SetProperty(JSContext * 0x031e5600, JSObject * 0x03749148, long
39200436, long * 0x0012e590) line 812 + 30 bytes
nsJSUtils::nsCallJSScriptObjectSetProperty(nsISupports * 0x0484c8c4, JSContext *
0x031e5600, JSObject * 0x03749148, long 39200436, long * 0x0012e590) line 241 +
27 bytes

nsURLEscape uses a tempBuffer that is 100 bytes long. I'm seeing us access
values well outside of this buffer. i.e. tempBufferPos is a really large number.
(Assignee)

Updated

18 years ago
Keywords: regression

Comment 1

18 years ago
I believe if (tempBuffer == 96) should be tempBuffer >= 96 in nsURLEscape

If tempBufferPos was 95 when the three lines above happen, it is 98 when it hits 
the if statement.
(Assignee)

Comment 2

18 years ago
mkaply is right. Putterman just came by my cube to fix this bug and he did the
same thing on my machine.

I can check this in if someone will give me approval.
(Assignee)

Comment 3

18 years ago
Created attachment 5789 [details] [diff] [review]
proposed fix
(Assignee)

Comment 4

18 years ago
I checked in a fix for this tonight since Warren hasn't had a chance to look at
this yet.
Assignee: warren → mscott
(Assignee)

Comment 5

18 years ago
fix checked in.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 6

18 years ago
*** Bug 29503 has been marked as a duplicate of this bug. ***

Comment 7

18 years ago
Adding crash keyword
Keywords: crash

Comment 8

18 years ago
verified:  NT 2000042009
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.