Closed
Bug 351418
Opened 18 years ago
Closed 18 years ago
crash when |data| is null [@ strlen] [@ nsStringInputStream::SetData]
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1
People
(Reporter: awuest, Assigned: awuest)
Details
(Keywords: crash, fixed1.8.0.9, fixed1.8.1)
Crash Data
Attachments
(1 file)
|
341 bytes,
patch
|
darin.moz
:
review+
Biesinger
:
superreview+
dveditz
:
approval1.8.0.9+
darin.moz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 If we pass a null pointer to nsStringInputStream::SetData and dataLen is -1, we crash in strlen(). As for instance in: (gdb) bt #0 0x900030e8 in strlen () #1 0x1b508330 in nsStringInputStream::SetData (this=0x204465e0, data=0x0, dataLen=-1) at /Users/awuest-devel/Documents/devel/src/mozilla/trees/MOZILLA_1_8_0_BRANCH/mozilla/xpcom/io/nsStringStream.cpp:144 I wasn't sure if I should file it as a problem of strlen() (i.e., should strlen check for null pointers), or if the caller should make sure that strlen is never called with null (i.e. SetData would need a check). Reproducible: Always Steps to Reproduce: 1. call nsStringInputStream::SetData(null, -1) 2. crash Actual Results: Crash in strlen(). Expected Results: nsStringInputStream::SetData should perhaps return with NS_ERROR_NULL_POINTER.
|
Assignee | |
Comment 1•18 years ago
|
||
BTW, I filed this as per https://bugzilla.mozilla.org/show_bug.cgi?id=283487#c18.
|
||
Comment 2•18 years ago
|
||
null is not a valid input for strlen, it should crash. (what would you expect as the return value anyway?)
|
|
||
Comment 3•18 years ago
|
||
not a problem on trunk: http://lxr.mozilla.org/seamonkey/source/xpcom/io/nsStringStream.cpp#175
|
|
Assignee | |
Comment 4•18 years ago
|
||
(In reply to comment #2) > null is not a valid input for strlen, it should crash. (what would you expect > as the return value anyway?) Well, I don't know, and that's what I said. So therefore, SetData() has to do the checking. (In reply to comment #3) > not a problem on trunk: But not on 1.8.1. Would it be desireable to also add the NS_ENSURE_ARG_POINTER(data); in http://lxr.mozilla.org/mozilla1.8/source/xpcom/io/nsStringStream.cpp#141 then (I could create a patch)?
|
|
||
Comment 5•18 years ago
|
||
yeah, I think that would be good for 1_8 and 1_8_0. the other functions do check for null.
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Version: Trunk → 1.8 Branch
|
|
Assignee | |
Comment 6•18 years ago
|
||
Adds NS_ENSURE_ARG_POINTER(data); to nsStringInputStream::SetData(const char *data, PRInt32 dataLen). Based on 1.8.0, but looking at current 1.8, it should also easily apply there.
|
|
||
Updated•18 years ago
|
Attachment #236815 -
Flags: superreview+
Attachment #236815 -
Flags: review?(darin)
|
||
Updated•18 years ago
|
Attachment #236815 -
Flags: review?(darin) → review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #236815 -
Flags: approval1.8.1?
Attachment #236815 -
Flags: approval1.8.0.8?
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 236815 [details] [diff] [review] Patch against 1.8.0 and 1.8 a=darin on behalf of drivers for MOZILLA_1_8_BRANCH.
Attachment #236815 -
Flags: approval1.8.1? → approval1.8.1+
|
||
Updated•18 years ago
|
Assignee: nobody → awuest
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•18 years ago
|
Severity: normal → critical
Keywords: crash
Summary: crash [@nsStringInputStream::SetData/strlen] when |data| is null → crash when |data| is null [@ strlen] [@ nsStringInputStream::SetData]
|
|
Assignee | |
Updated•18 years ago
|
Whiteboard: [checkin needed (1.8 branch)]
|
||
Comment 8•18 years ago
|
||
I got a=mconnor to land this now over IRC. mozilla/xpcom/io/nsStringStream.cpp 1.19.4.2
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed (1.8 branch)]
Target Milestone: --- → mozilla1.8.1
|
||
Comment 9•18 years ago
|
||
From bonsai this appears to have been fixed1.8.1 on 9-14 - marking as such
Keywords: fixed1.8.1
|
||
Comment 10•18 years ago
|
||
Comment on attachment 236815 [details] [diff] [review] Patch against 1.8.0 and 1.8 approved for 1.8.0 branch, a=dveditz for drivers
Attachment #236815 -
Flags: approval1.8.0.9? → approval1.8.0.9+
|
||
Updated•13 years ago
|
Crash Signature: [@ strlen]
[@ nsStringInputStream::SetData]
You need to log in
before you can comment on or make changes to this bug.
Description
•