Closed Bug 810478 Opened 8 years ago Closed 8 years ago

fix missing trailing null byte in strings read via extractBuf

Categories

(Core :: mozglue, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla19
Tracking Status
firefox16 --- affected
firefox17 --- wontfix
firefox18 --- fixed
firefox19 --- fixed

People

(Reporter: vlad, Assigned: vlad)

References

Details

Attachments

(1 file)

I've been trying to track down an intermittent startup crash for a while now that happens in my automated test runs (easily does a few hundred startups/shutdowns as part of the tests a day).  I finally got the stars aligned to get valgrind working, and it came up with the following:

==14463== Invalid read of size 1
==14463==    at 0x4828EF4: strlen (mc_replace_strmem.c:399)
==14463==    by 0x4855C6F: strndup (in /system/lib/libc.so)
==14463==  Address 0x2aae7d75 is 0 bytes after a block of size 709 alloc'd
==14463==    at 0x4827978: malloc (vg_replace_malloc.c:270)
==14463==    by 0x2D8C7F59: extractBuf(char const*, Zip*) [clone .clone.0] (APKOpen.cpp:646)
==14463==    by 0x2D8C864B: loadSQLiteLibs(char const*) (APKOpen.cpp:810)
==14463==    by 0x2D8C871D: Java_org_mozilla_gecko_GeckoAppShell_loadSQLiteLibsNative (APKOpen.cpp:951)
==14463==    by 0x4F2DE33: dvmPlatformInvoke (in /system/lib/libdvm.so)

The attached patch should fix it; I'm not sure if this is the original crash I was seeing, but it's certainly possible (if the stars align and this happens to be the end of a page where the next one is unreadable, say).
Attachment #680220 - Flags: review?(bugmail.mozilla)
Attachment #680220 - Flags: review?(bugmail.mozilla) → review?(mh+mozilla)
Attachment #680220 - Flags: review?(mh+mozilla) → review+
Duplicate of this bug: 740318
Comment on attachment 680220 [details] [diff] [review]
add zero termination to buffer

I suggest we take this on aurora & beta -- it's a trivial fix, but can cause weird random startup crashes.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): n/a
User impact if declined: possible continuing random weird startup crashes
Testing completed (on m-c, etc.): local testing with valgrind
Risk to taking this patch (and alternatives if risky): none, as best I can tell
String or UUID changes made by this patch: none
Attachment #680220 - Flags: approval-mozilla-beta?
Attachment #680220 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/419e74e5f2d7
Assignee: nobody → vladimir
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Comment on attachment 680220 [details] [diff] [review]
add zero termination to buffer

Happy to uplift and help with startup crashes on Aurora, but we're too late for Beta, please get this into mozilla-aurora before Monday 11/19 merge day.
Attachment #680220 - Flags: approval-mozilla-beta?
Attachment #680220 - Flags: approval-mozilla-beta-
Attachment #680220 - Flags: approval-mozilla-aurora?
Attachment #680220 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.