Closed Bug 398547 Opened 13 years ago Closed 13 years ago

Crash in nsPlainTextSerializer.cpp, string[maxint32-1]

Categories

(Core :: DOM: Serializers, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Keywords: crash, regression)

Attachments

(1 file)

I get a crash when trying to send SMTP email, with both thunderbird and seamonkey.

But I think the bug is not in mail, but in dom / content. 

mozilla/content/base/src/nsPlainTextSerializer.cpp:1598

1597        for (PRUint32 i = totLen-1; i >= 0; i--) {
1598          PRUnichar c = str[i];

I crash with str[maxint32-1], because i is unsigned.

#5  0x00002aaab44d7aa1 in nsString::CharAt (this=0x7fff6ce04b70, i=4294967295) at ../../../dist/include/string/nsTString.h:134
#6  0x00002aaab44d7ac5 in nsString::operator[] (this=0x7fff6ce04b70, i=4294967295) at ../../../dist/include/string/nsTString.h:139
#7  0x00002aaab476c78c in nsPlainTextSerializer::Write (this=0xdc232f0, aStr=@0xdc234d0)
    at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:1598
#8  0x00002aaab476d541 in nsPlainTextSerializer::DoAddLeaf (this=0xdc232f0, aNode=0xdb06620, aTag=109, aText=@0x7fff6ce04f10)
    at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:1141
#9  0x00002aaab476d89b in nsPlainTextSerializer::AddLeaf (this=0xdc232f0, aNode=@0xdb06620)
    at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:505
#10 0x00002aaab1335adc in CNavDTD::AddLeaf (this=0xdaa33c0, aNode=0xdb06620) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:2932
#11 0x00002aaab1338838 in CNavDTD::HandleDefaultStartToken (this=0xdaa33c0, aToken=0xdc4dc68, aChildTag=eHTMLTag_newline, aNode=0xdb06620)
    at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:999
#12 0x00002aaab1338c4a in CNavDTD::HandleStartToken (this=0xdaa33c0, aToken=0xdc4dc68) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:1343
#13 0x00002aaab13394b3 in CNavDTD::HandleToken (this=0xdaa33c0, aToken=0xdc4dc68, aParser=0xdc28cd0)
    at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:701
#14 0x00002aaab1339cd4 in CNavDTD::BuildModel (this=0xdaa33c0, aParser=0xdc28cd0, aTokenizer=0xdb19d70, anObserver=0x0, aSink=0xdc232f8)
    at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:331
#15 0x00002aaab1344127 in nsParser::BuildModel (this=0xdc28cd0) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1733
#16 0x00002aaab1348483 in nsParser::ResumeParse (this=0xdc28cd0, allowIteration=0, aIsFinalChunk=0, aCanInterrupt=0)
    at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1610
#17 0x00002aaab1346d42 in nsParser::Parse (this=0xdc28cd0, aSourceBuffer=@0x7fff6ce05510, aKey=0x0, aMimeType=@0x7fff6ce05480, aLastCall=1,
    aMode=eDTDMode_autodetect) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1410
#18 0x00002aaaafa1fb46 in ConvertBufToPlainText (aConBuf=@0x7fff6ce05510, formatflowed=1)
    at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgCompUtils.cpp:2062
#19 0x00002aaaafa29f3b in nsMsgAttachmentHandler::UrlExit (this=0xdaa4a40, status=0, aMsg=0x0)
    at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgAttachmentHandler.cpp:1158
#20 0x00002aaaafa2a8ef in FetcherURLDoneCallback (aStatus=0, aContentType=@0xdaa4eb8, aCharset=@0xdaa4ec8, totalSize=230, aMsg=0x0, tagData=0xdaa4a40)
    at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgAttachmentHandler.cpp:493
#21 0x00002aaaafa58011 in nsURLFetcher::OnStopRequest (this=0xdaa4e30, request=0xdaa5090, ctxt=0x0, aStatus=0)
    at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsURLFetcher.cpp:320
Attached patch Patch v1Splinter Review
This patch allows me to send mail without crashing.
Attachment #283542 - Flags: superreview?
Attachment #283542 - Flags: review?
Attachment #283542 - Flags: superreview?(peterv)
Attachment #283542 - Flags: superreview?
Attachment #283542 - Flags: review?(peterv)
Attachment #283542 - Flags: review?
Depends on: 125928
Comment on attachment 283542 [details] [diff] [review]
Patch v1

I found that bug 125928 introduced this crash. Changing review request to mscott and bzbarsky who reviewed that patch and already know the code.
Attachment #283542 - Flags: superreview?(peterv)
Attachment #283542 - Flags: superreview?(bzbarsky)
Attachment #283542 - Flags: review?(peterv)
Attachment #283542 - Flags: review?(mscott)
Attachment #283542 - Flags: review?(mscott) → review+
Flags: blocking1.9?
Comment on attachment 283542 [details] [diff] [review]
Patch v1

sr=bzbarsky.  Sorry for missing this during review.  :(
Attachment #283542 - Flags: superreview?(bzbarsky) → superreview+
Severity: normal → critical
Keywords: regression
Assignee: nobody → kengert
Attachment #283542 - Flags: approval1.9?
Flags: blocking1.9? → blocking1.9+
Thank you Kai, nice catch!
Attachment #283542 - Flags: approval1.9?
I checked this in, so that I can use trunk-thunderbird again.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Duplicate of this bug: 398729
You need to log in before you can comment on or make changes to this bug.