Closed
Bug 398547
Opened 17 years ago
Closed 17 years ago
Crash in nsPlainTextSerializer.cpp, string[maxint32-1]
Categories
(Core :: DOM: Serializers, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
(Keywords: crash, regression)
Attachments
(1 file)
815 bytes,
patch
|
mscott
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
I get a crash when trying to send SMTP email, with both thunderbird and seamonkey. But I think the bug is not in mail, but in dom / content. mozilla/content/base/src/nsPlainTextSerializer.cpp:1598 1597 for (PRUint32 i = totLen-1; i >= 0; i--) { 1598 PRUnichar c = str[i]; I crash with str[maxint32-1], because i is unsigned. #5 0x00002aaab44d7aa1 in nsString::CharAt (this=0x7fff6ce04b70, i=4294967295) at ../../../dist/include/string/nsTString.h:134 #6 0x00002aaab44d7ac5 in nsString::operator[] (this=0x7fff6ce04b70, i=4294967295) at ../../../dist/include/string/nsTString.h:139 #7 0x00002aaab476c78c in nsPlainTextSerializer::Write (this=0xdc232f0, aStr=@0xdc234d0) at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:1598 #8 0x00002aaab476d541 in nsPlainTextSerializer::DoAddLeaf (this=0xdc232f0, aNode=0xdb06620, aTag=109, aText=@0x7fff6ce04f10) at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:1141 #9 0x00002aaab476d89b in nsPlainTextSerializer::AddLeaf (this=0xdc232f0, aNode=@0xdb06620) at /home/kaie/moz/head/mozilla/content/base/src/nsPlainTextSerializer.cpp:505 #10 0x00002aaab1335adc in CNavDTD::AddLeaf (this=0xdaa33c0, aNode=0xdb06620) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:2932 #11 0x00002aaab1338838 in CNavDTD::HandleDefaultStartToken (this=0xdaa33c0, aToken=0xdc4dc68, aChildTag=eHTMLTag_newline, aNode=0xdb06620) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:999 #12 0x00002aaab1338c4a in CNavDTD::HandleStartToken (this=0xdaa33c0, aToken=0xdc4dc68) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:1343 #13 0x00002aaab13394b3 in CNavDTD::HandleToken (this=0xdaa33c0, aToken=0xdc4dc68, aParser=0xdc28cd0) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:701 #14 0x00002aaab1339cd4 in CNavDTD::BuildModel (this=0xdaa33c0, aParser=0xdc28cd0, aTokenizer=0xdb19d70, anObserver=0x0, aSink=0xdc232f8) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/CNavDTD.cpp:331 #15 0x00002aaab1344127 in nsParser::BuildModel (this=0xdc28cd0) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1733 #16 0x00002aaab1348483 in nsParser::ResumeParse (this=0xdc28cd0, allowIteration=0, aIsFinalChunk=0, aCanInterrupt=0) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1610 #17 0x00002aaab1346d42 in nsParser::Parse (this=0xdc28cd0, aSourceBuffer=@0x7fff6ce05510, aKey=0x0, aMimeType=@0x7fff6ce05480, aLastCall=1, aMode=eDTDMode_autodetect) at /home/kaie/moz/head/mozilla/parser/htmlparser/src/nsParser.cpp:1410 #18 0x00002aaaafa1fb46 in ConvertBufToPlainText (aConBuf=@0x7fff6ce05510, formatflowed=1) at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgCompUtils.cpp:2062 #19 0x00002aaaafa29f3b in nsMsgAttachmentHandler::UrlExit (this=0xdaa4a40, status=0, aMsg=0x0) at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgAttachmentHandler.cpp:1158 #20 0x00002aaaafa2a8ef in FetcherURLDoneCallback (aStatus=0, aContentType=@0xdaa4eb8, aCharset=@0xdaa4ec8, totalSize=230, aMsg=0x0, tagData=0xdaa4a40) at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsMsgAttachmentHandler.cpp:493 #21 0x00002aaaafa58011 in nsURLFetcher::OnStopRequest (this=0xdaa4e30, request=0xdaa5090, ctxt=0x0, aStatus=0) at /home/kaie/moz/head/mozilla/mailnews/compose/src/nsURLFetcher.cpp:320
Assignee | ||
Comment 1•17 years ago
|
||
This patch allows me to send mail without crashing.
Attachment #283542 -
Flags: superreview?
Attachment #283542 -
Flags: review?
Assignee | ||
Updated•17 years ago
|
Attachment #283542 -
Flags: superreview?(peterv)
Attachment #283542 -
Flags: superreview?
Attachment #283542 -
Flags: review?(peterv)
Attachment #283542 -
Flags: review?
Assignee | ||
Comment 2•17 years ago
|
||
Comment on attachment 283542 [details] [diff] [review] Patch v1 I found that bug 125928 introduced this crash. Changing review request to mscott and bzbarsky who reviewed that patch and already know the code.
Attachment #283542 -
Flags: superreview?(peterv)
Attachment #283542 -
Flags: superreview?(bzbarsky)
Attachment #283542 -
Flags: review?(peterv)
Attachment #283542 -
Flags: review?(mscott)
Updated•17 years ago
|
Attachment #283542 -
Flags: review?(mscott) → review+
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.9?
![]() |
||
Comment 3•17 years ago
|
||
Comment on attachment 283542 [details] [diff] [review] Patch v1 sr=bzbarsky. Sorry for missing this during review. :(
Attachment #283542 -
Flags: superreview?(bzbarsky) → superreview+
Updated•17 years ago
|
Severity: normal → critical
Keywords: regression
Updated•17 years ago
|
Assignee: nobody → kengert
Updated•17 years ago
|
Attachment #283542 -
Flags: approval1.9?
Flags: blocking1.9? → blocking1.9+
Comment 4•17 years ago
|
||
Thank you Kai, nice catch!
Updated•17 years ago
|
Attachment #283542 -
Flags: approval1.9?
Comment 5•17 years ago
|
||
I checked this in, so that I can use trunk-thunderbird again.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•