Closed Bug 84155 Opened 24 years ago Closed 24 years ago

Lengthening string in PSM causes N6.1 Beta to crash

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.0

People

(Reporter: rsmyth, Assigned: ddrinan0264)

Details

(Keywords: crash, l12y)

Attachments

(3 files)

Patch is fix this crash. Javi, please review.
642 bytes, patch
Details | Diff | Splinter Review
ssaux proposed patch.
849 bytes, patch
Details | Diff | Splinter Review
Updated patch.
758 bytes, patch
Details | Diff | Splinter Review
Open file pipnss.properties (in pipnss.jar > PSM.xpi) Lengthen the LibraryDescription= string by 6 characters. Try to launch Netscape. Product crashes with netscp6.exe application error. This string handling error has serious implications for localisation as text normally expands by up to 30 per cent when localised. See Bugscape bug no. 5733.
Keywords: l12y, nsbeta1
Adding to cc-list; adding crash to keywords
Keywords: crash
Adding loeb and lord to cc: list. This sounds pretty bad. Daniel/Rose - Is this a stopper?
adding ddrinan
Is a fix for this needed for mozilla 0.9.1?
Adding ssaux and javi to cc-list.
ddrinan I believe you fix essentially has the following sequence of calls: str = (char *)PR_Malloc(len+1); .... (cause tmplen to be determined) memcpy(str, tmpstr, tmplen); if (len > tmplen) { That's not correct. You should not copy tmplen to str if tmplen is > len Shouldn't the PR_Malloc occur exactly before the memcopy and the arg should be tmplen+1.
The PKCS11 spec says these string have to be a certain length (the _len_ value passed in). That's the reason for the logic. r=javi on ddrinan's patch.
I'm ok with is if (tmplen > len) == false always. otherwise a test must be made to not cause a boundary violation on the memcpy (ok technically boundary violation only appears if tmplen > len+1).
I did not catch the offending memcpy as the brower crashes in the memset function. The function is to return a string of length 'len'. If the string in the properties file is of length greater that 'len', then the function should return the first 'len' bytes of the string and ignore the remaining characters. Updated patch to follow.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch Updated patch.Splinter Review
r=ssaux javi please review too.
r=javi
David/Rose - Is this a beta stopper? If so, we need to tell the PDT, and change the TM really fast!
If the only way to make it crash is to edit this file by hand, it's not a stopper.
No it is not a stopper for 0.9.1 as we can abreviate the text for German and French. However his could potentially break *any* localised build. Especially any using many accented characters as each accented character = 5 chars in escaped unicode. (\uXXXX) Setting target milestone to 0.9.2
Target Milestone: --- → mozilla0.9.2
Thanks for the feedback Danny. I feel much better about mocing it to M0.9.2 now.
Correct version is 2.0 target -> 2.0, because this may result in crashes for RTM localized builds.
Severity: normal → major
Priority: -- → P2
Target Milestone: mozilla0.9.2 → 2.0
Version: 2.1 → 2.0
This got fixed by a previous checkin. Marking FIXED.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified per ddrinan's comment.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: