Closed
Bug 733112
Opened 13 years ago
Closed 6 years ago
OOM Crash [@ nsAString_internal::Last] with out of bounds access
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash)
Crash Data
Tested on m-c revision 8ea5c983743f: During OOM testing I got the following crash:
Program received signal SIGSEGV, Segmentation fault.
0x00002aaaac5ec26c in nsAString_internal::Last (this=0x7fffffff9820) at ../../../dist/include/nsTSubstring.h:252
252 return mData[mLength - 1];
(gdb) p mData
$1 = (nsAString_internal::char_type *) 0x2aaaae464cb8
(gdb) p mLength
$2 = 0
(gdb) bt 8
#0 0x00002aaaac5ec26c in nsAString_internal::Last (this=0x7fffffff9820) at ../../../dist/include/nsTSubstring.h:252
#1 0x00002aaaace9eccc in nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile (aFilename=<optimized out>, aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1020
#2 0x00002aaaace9f732 in nsOSHelperAppService::DoLookUpHandlerAndDescription (aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=<optimized out>, aUserData=false) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:956
#3 0x00002aaaace9ff06 in nsOSHelperAppService::LookUpHandlerAndDescription (aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:901
#4 0x00002aaaacea053e in nsOSHelperAppService::GetFromExtension (this=0x1d478e0, aFileExt=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1347
#5 0x00002aaaacea061c in nsOSHelperAppService::GetMIMEInfoFromOS (this=0x1d478e0, aType=..., aFileExt=..., aFound=0x7fffffffa877) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1543
#6 0x00002aaaace95fec in nsExternalHelperAppService::GetTypeFromExtension (this=0x1d478e0, aFileExt=..., aContentType=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/nsExternalHelperAppService.cpp:2602
#7 0x00002aaaace93127 in nsExternalHelperAppService::GetTypeFromFile (this=0x1d478e0, aFile=<optimized out>, aContentType=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/nsExternalHelperAppService.cpp:2741
=> 0x2aaaac5ec26c <nsAString_internal::Last() const+60>: mov (%rax,%rdx,2),%ax
rax 0x2aaaae464cb8 46912556649656
rdx 0xffffffff 4294967295
For some reason, the mLength is 0 due to the OOM condition which causes an out of bounds access on the mData array.
The last failing allocation is:
#0 /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/libmozalloc.so(moz_malloc+0x5f)
#1 nsStringBuffer::Alloc(unsigned long) at xpcom/string/src/nsSubstring.cpp:210
#2 nsAString_internal::MutatePrep(unsigned int, unsigned short**, unsigned int*) at xpcom/string/src/nsTSubstring.cpp:163
#3 nsAString_internal::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) at xpcom/string/src/nsTSubstring.cpp:199
#4 nsAString_internal::Replace(unsigned int, unsigned int, unsigned short const*, unsigned int) at xpcom/string/src/nsTSubstring.cpp:487
#5 nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:1020
#6 nsOSHelperAppService::DoLookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&, bool) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:956
#7 nsOSHelperAppService::LookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:901
#8 nsOSHelperAppService::GetFromExtension(nsCString const&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:1347
#9 ~nsACString_internal at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsTSubstring.h:113
#10 nsCOMPtr at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsCOMPtr.h:574
#11 ~nsACString_internal at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsTSubstring.h:113
#12 ~nsCOMPtr at objdir-ff-gcc64dbg/netwerk/protocol/file/../../../dist/include/nsCOMPtr.h:519
#13 nsFileChannel::OpenContentStream(bool, nsIInputStream**, nsIChannel**) at netwerk/protocol/file/nsFileChannel.cpp:371
#14 nsBaseChannel::BeginPumpingData() at netwerk/base/src/nsBaseChannel.cpp:239
#15 nsBaseChannel::AsyncOpen(nsIStreamListener*, nsISupports*) at netwerk/base/src/nsBaseChannel.cpp:610
Although there is an out of bounds access I assume it's unlikely to be exploitable at all as the access is not controllable.
Comment 1•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•