Closed Bug 397093 Opened 16 years ago Closed 16 years ago

Faulty .properties file results in uninitialized memory being used

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glazou, Assigned: smontagu)

Details

(Keywords: fixed1.8.1.15, Whiteboard: [sg:low] 1.8 branch, requires faulty localization/addon)

Attachments

(4 files, 1 obsolete file)

faulty properties file, bad encoding
309 bytes, text/plain
Details
screenshot
2.93 KB, image/png
Details
Trunk patch
6.40 KB, patch
benjamin
: review+
benjamin
: superreview+
damons
: approval1.9+
Details | Diff | Splinter Review
Branch patch with test added to StringBundleTest.cpp
3.90 KB, patch
benjamin
: review+
benjamin
: superreview+
samuel.sidler+old
: approval1.8.1.15+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
I have hit a weird bug writing an extension for Firefox. The extension is localized in both french and english.
One of the french *.properties file was not UTF-8 but ISO8859-encoded.
The window opened by my extension retrieves 3 strings from that properties file.
Surprisingly, the first retrieval (string 'textLayouts' in the attached file)
did not fail, while the two others did fail.
BUT what I got back from that first |GetStringFromName()| call was absolutely not
what's in the properties file but some text coming from a MS Word process also
running on my machine !!! My XUL window was showing me a bit of the text I was
editing in Word...
Fixing the encoding of the file of course resolved the issue.
Could you provide a minimal XUL testcase that shows the problem (when run with privileges)? Running the following code snippet gives me just "Mon":

var sbs = Components.classes["@mozilla.org/intl/stringbundle;1"]. getService(Components.interfaces.nsIStringBundleService); var sb = sbs.createBundle("file:///C:/Users/Gavin/Desktop/layout2.properties"); prompt('',sb.GetStringFromName("textLayouts"));
I also don't understand how it could have shown you data from another process - Windows' memory protection should prevent that from happening, and even if it didn't, the odds of our code having read memory from Word in such a way that it then displayed text from the opened Word file is rather low. Are you sure it wasn't a fluke of some sort? Can you reproduce the problem?
(In reply to comment #1)
> Could you provide a minimal XUL testcase that shows the problem (when run with
> privileges)? Running the following code snippet gives me just "Mon":
> 
> var sbs = Components.classes["@mozilla.org/intl/stringbundle;1"].
> getService(Components.interfaces.nsIStringBundleService); var sb =
> sbs.createBundle("file:///C:/Users/Gavin/Desktop/layout2.properties");
> prompt('',sb.GetStringFromName("textLayouts"));

My code is exactly similar to yours. But I got back a string starting with that
"Mod" (and not "Mon") followed immediately by text coming from the other
process.
I am running 2.0.0.7 on winXP sp2.

(In reply to comment #2)

> Can you reproduce the problem?

Partly yes. I am not this time seeing text coming from another process
but from the MIT license plate of one of my JS files. That license text is of
course contained in a JS comment... Just to be clear, that JS file is not the
one retrieving the localized strings.
OK, I can reproduce the problem in a branch build (I was testing trunk earlier).
Assignee: dveditz → smontagu
Component: Security → Internationalization
Flags: blocking1.8.1.12?
QA Contact: toolkit → i18n
Summary: Firefox showing data from other win process → Faulty .properties file results in data from other parts of memory being used
Whiteboard: [sg:moderate] 1.8 branch
Thanks for raising the visibility on this one, Jesse, but probably not enough time to fix for the upcoming 2.0.0.12 release.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.13? → blocking1.8.1.13+
Attached patch Branch patch (obsolete) — Splinter Review 
This is a deliberately minimal patch for branch so that no property in a property file which currently works will stop working.

For trunk I would rather return an error and fail to load the entire property file if it's not valid UTF-8.
Attachment #306514 - Flags: superreview?(benjamin)
Attachment #306514 - Flags: review?(benjamin)
Whiteboard: [sg:moderate] 1.8 branch → [sg:moderate] 1.8 branch, need r=bsmedberg
Comment on attachment 306514 [details] [diff] [review]
Branch patch

I'm not going to review this as a branch patch until an equivalent trunk patch is here with unit tests.
Attachment #306514 - Flags: superreview?(benjamin)
Attachment #306514 - Flags: review?(benjamin)
Summary: Faulty .properties file results in data from other parts of memory being used → Faulty .properties file results in uninitialized memory being used
Whiteboard: [sg:moderate] 1.8 branch, need r=bsmedberg → [sg:moderate] 1.8 branch, requires faulty localization/addon, need r=bsmedberg
Attached patch Trunk patchSplinter Review 

        Attachment #307421 -
        Flags: superreview?(benjamin)

        Attachment #307421 -
        Flags: review?(benjamin)

    
    

    
  
Comment on attachment 306514 [details] [diff] [review]
Branch patch

I already said in comment 8 that the trunk patch wasn't going to be equivalent. The patch I just attached for trunk rejects the whole properties file if it encounters invalid UTF-8, but on branch I think we should preserve the status quo that properties earlier in the file without encoding errors can still be retrieved.

        Attachment #306514 -
        Flags: superreview?(benjamin)

        Attachment #306514 -
        Flags: review?(benjamin)

    
    

    
  
Moving to the next release since this doesn't yet have reviews.
Flags: blocking1.8.1.14+
Flags: blocking1.8.1.13-
Flags: blocking1.8.1.13+

    
    

    
  
Comment on attachment 306514 [details] [diff] [review]
Branch patch

Still want a test for this. Even a binary test in xpcom/tests would help me feel comfortable.

        Attachment #306514 -
        Flags: superreview?(benjamin)

        Attachment #306514 -
        Flags: review?(benjamin)

    
  

        Attachment #307421 -
        Flags: superreview?(benjamin)

        Attachment #307421 -
        Flags: superreview+

        Attachment #307421 -
        Flags: review?(benjamin)

        Attachment #307421 -
        Flags: review+

    
    

    
  
Comment on attachment 307421 [details] [diff] [review]
Trunk patch

Requesting approval for the trunk patch.

        Attachment #307421 -
        Flags: approval1.9?

    
    

    
  
Comment on attachment 307421 [details] [diff] [review]
Trunk patch

Let's get a test per bsmedberg's suggestion.  Re-request approval once tests are included.

        Attachment #307421 -
        Flags: approval1.9?

    
    

    
  
I could be wrong, but I think bsmedberg was requesting a test for the branch patch. The trunk patch has a test already...

    
    

    
  
Comment on attachment 307421 [details] [diff] [review]
Trunk patch

Yes, what Samuel said. This is the trunk patch, with a test, which Ben already gave r+sr to. (This should really be blocking 1.9+ too)

        Attachment #307421 -
        Flags: approval1.9?

    
    

    
  


  

        Attachment #306514 -
        Attachment is obsolete: true

        Attachment #308810 -
        Flags: superreview?(benjamin)

        Attachment #308810 -
        Flags: review?(benjamin)

    
    

    
  
Comment on attachment 307421 [details] [diff] [review]
Trunk patch

a1.9+=damons

        Attachment #307421 -
        Flags: approval1.9? → approval1.9+

    
  

        Attachment #308810 -
        Flags: superreview?(benjamin)

        Attachment #308810 -
        Flags: superreview+

        Attachment #308810 -
        Flags: review?(benjamin)

        Attachment #308810 -
        Flags: review+

    
    

    
  
Comment on attachment 308810 [details] [diff] [review]
Branch patch with test added to StringBundleTest.cpp

Very safe fix ensuring that the length returned by UTF8InputStream::Read doesn't exceed the number of characters successfully converted.

        Attachment #308810 -
        Flags: approval1.8.1.14?

    
    

    
  
Comment on attachment 308810 [details] [diff] [review]
Branch patch with test added to StringBundleTest.cpp

Approved for 1.8.1.14. a=ss for release-drivers.

        Attachment #308810 -
        Flags: approval1.8.1.14? → approval1.8.1.14+

    
    

    
  
Trunk and branch patches are both checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: fixed1.8.1.14
Resolution: --- → FIXED

    
    

    
  
Why is this sg:moderate? text from .properties files isn't normally accessible to web content in any way even if there is such a malformed file. We also don't know of any .properties files shipped with Firefox that had this problem.
Whiteboard: [sg:moderate] 1.8 branch, requires faulty localization/addon, need r=bsmedberg → [sg:low] 1.8 branch, requires faulty localization/addon
Group: security

    
    

    
  
(In reply to comment #24)
> Why is this sg:moderate? text from .properties files isn't normally accessible
> to web content in any way even if there is such a malformed file. We also don't
> know of any .properties files shipped with Firefox that had this problem.

Extensions ?

    
  

        Attachment #308810 -
        Flags: approval1.8.0.next+

    
    

    
  
Comment on attachment 308810 [details] [diff] [review]
Branch patch with test added to StringBundleTest.cpp

a=asac for 1.8.0

    
  
Flags: blocking1.8.0.next+

          You need to log in
          before you can comment on or make changes to this bug.