Closed Bug 302888 Opened 19 years ago Closed 16 years ago

Invalid free occurs when using gmail smime

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
1.7 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: eriksjunk, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

Full backtrace from after crash
43.56 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

When trying to send an encrypted message with gmail smime on linux, a message
such as "*** glibc detected *** free(): invalid pointer: 0x09107de0 ***" is
printed on the console.  Depending on the system configuration, this may or may
not be fatal.  On my system, firefox gets sent SIGABRT and crashes.  This
extension is written entirely in javascript, so it should not be able to produce
an invalid free.

Reproducible: Always

Steps to Reproduce:
1. Get a gmail account
2. Get a personal e-mail certificate and install it.  (eg. from Thawte)
3. Install the gmail smime extension.
4. Log into gmail account
5. Compose a message to the address the certificate is for and verify that the
lock icon from gmail smime is shown as locked.
6. Press the send button.

Actual Results:  
Firefox freezes up and "*** glibc detected *** free(): invalid pointer:
0x09107de0 ***" is printed on the console.

Expected Results:  
Sent the encrypted message, or at least not generated the invalid free and kept
running.

Setting the environment variable MALLOC_CHECK_ to 1 makes the error non-fatal on
my system, and the message is sent.  I am using version 0.1.3 of the extension,
but experienced the same problem with 0.1.2.

  

  



    
    

    
  
Comment on attachment 191159 [details]
Full backtrace from after crash

The error was:
*** glibc detected *** free(): invalid pointer: 0x08c4a760 ***

  

  



    
    

    
  
reporter: can you dig from the js_Interpret or nearby frames for
cx->fp(down->)*->script->filename
                       ->lineNo

and also provide a url for this extension.

  

  


Assignee: nobody → dbradley
Severity: normal → critical
Component: General → XPConnect
Keywords: crash
Product: Firefox → Core
QA Contact: general → pschwartau
Version: unspecified → 1.7 Branch

    
    

    
  
(In reply to comment #3)
> reporter: can you dig from the js_Interpret or nearby frames for
> cx->fp(down->)*->script->filename
>                        ->lineNo
Where can I find instructions for this?

> 
> and also provide a url for this extension.

http://richard.jones.name/google-hacks/gmail-smime/gmail-smime.html

  

  



    
    

    
  
in gdb, p(rint), see http://www.mozilla.org/unix/debugging-faq.html

  

  



    
    

    
  
(In reply to comment #5)
> in gdb, p(rint), see http://www.mozilla.org/unix/debugging-faq.html

(gdb) p cx->fp->down->script->filename
$1 = 0x851014d "chrome://gmailsmime/content/smimesender.js"

what do I need to type to get the line number?

  

  



    
    

    
  
p cx->fp->down->script->lineNo

  

  



    
    

    
  
(In reply to comment #7)

That does not work for me:
(gdb) p cx->fp->down->script->lineNo
There is no member named lineNo.

I am using a debug version of 1.0.6 if that helps.

  

  



    
    

    
  
I only suggested what comment #3 said. I think it may be lineno instead of
lineNo, though, so try this:

p cx->fp->down->script->lineno

  

  



    
    

    
  
(In reply to comment #9)

Thanks.

(gdb) p cx->fp->down->script->lineno
$2 = 184

  

  



    
  
Assignee: dbradley → nobody

    
  
QA Contact: pschwartau → xpconnect

    
    

    
  
Unfortunately, I can not currently test this bug as newer versions of
the extension use a completely different method to send messages, and so
would not exhibit the same behavior.  I looked briefly but was unable to
find an old version of the plugin, but it would probably not be usable
anyway, due to changes in Gmail that occur.

  

  



    
    

    
  
(In reply to comment #11)
> Unfortunately, I can not currently test this bug as newer versions of
> the extension use a completely different method to send messages, and so
> would not exhibit the same behavior.  I looked briefly but was unable to
> find an old version of the plugin, but it would probably not be usable
> anyway, due to changes in Gmail that occur.

=> incomplete

please reopen if you still see problem or prospects for follow up

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: