Closed Bug 1706 Opened 26 years ago Closed 26 years ago

purify reports array out of bounds read

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: buster, Assigned: rickg)

Details

you will need to fix up the test case for your configuration. I suspect the test case is irrelevant. purify log: [E] ABR: Array bounds read in CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsIParserNode&) {1 occurrence} Reading 4 bytes from 0x0459c554 (4 bytes at 0x0459c554 illegal) Address 0x0459c554 is 4 bytes before the beginning of a 120 byte block at 0x0459c558 Address 0x0459c554 points to a C++ new block in heap 0x04370000 Thread ID: 0xaa Error location CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsIParserNode&) [CNavDTD.cpp:841] CNavDTD::HandleStartToken(CToken *) [CNavDTD.cpp:931] CNavDTD::CreateContextStackFor(nsHTMLTag) [CNavDTD.cpp:3037] CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsIParserNode&) [CNavDTD.cpp:822] CNavDTD::HandleStartToken(CToken *) [CNavDTD.cpp:931] NavDispatchTokenHandler(CToken *,nsIDTD *) [CNavDTD.cpp:445] CTokenHandler::()(CToken *,nsIDTD *) [nsTokenHandler.cpp:80] CNavDTD::HandleToken(CToken *,nsIParser *) [CNavDTD.cpp:696] nsParser::BuildModel(void) [nsParser.cpp:724] nsParser::ResumeParse(void) [nsParser.cpp:688] Allocation location new(UINT) [new.cpp:23] nsTagStack::nsTagStack(int) [nsDTDUtils.cpp:39] nsDTDContext::nsDTDContext(int) [nsDTDUtils.cpp:144] CNavDTD::CNavDTD(void) [CNavDTD.cpp:515] NS_NewNavHTMLDTD(nsIDTD * *) [CNavDTD.cpp:411] CNavDTD::CreateNewInstance(nsIDTD * *) [CNavDTD.cpp:543] FindSuitableDTD(CParserContext&,nsString&) [nsParser.cpp:394] nsParser::WillBuildModel(nsString&,nsIDTD *) [nsParser.cpp:497] nsParser::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsParser.cpp:923] nsDocumentBindInfo::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsDocLoader.cpp:1474] [E] ABR: Array bounds read in CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsIParserNode&) {2 occurrences} Reading 4 bytes from 0x0584fc6c (4 bytes at 0x0584fc6c illegal) Address 0x0584fc6c is 4 bytes before the beginning of a 120 byte block at 0x0584fc70 Address 0x0584fc6c points to a C++ new block in heap 0x04370000 Thread ID: 0xaa Error location CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsIParserNode&) [CNavDTD.cpp:841] CNavDTD::HandleStartToken(CToken *) [CNavDTD.cpp:931] NavDispatchTokenHandler(CToken *,nsIDTD *) [CNavDTD.cpp:445] CTokenHandler::()(CToken *,nsIDTD *) [nsTokenHandler.cpp:80] CNavDTD::HandleToken(CToken *,nsIParser *) [CNavDTD.cpp:696] nsParser::BuildModel(void) [nsParser.cpp:724] nsParser::ResumeParse(void) [nsParser.cpp:688] nsParser::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsParser.cpp:929] nsDocumentBindInfo::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsDocLoader.cpp:1474] OnDataAvailableProxyEvent::HandleEvent(void) [nsNetThread.cpp:606] Allocation location new(UINT) [new.cpp:23] nsTagStack::nsTagStack(int) [nsDTDUtils.cpp:39] nsDTDContext::nsDTDContext(int) [nsDTDUtils.cpp:144] CNavDTD::CNavDTD(void) [CNavDTD.cpp:515] NS_NewNavHTMLDTD(nsIDTD * *) [CNavDTD.cpp:411] CNavDTD::CreateNewInstance(nsIDTD * *) [CNavDTD.cpp:543] FindSuitableDTD(CParserContext&,nsString&) [nsParser.cpp:394] nsParser::WillBuildModel(nsString&,nsIDTD *) [nsParser.cpp:497] nsParser::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsParser.cpp:923] nsDocumentBindInfo::OnDataAvailable(nsIURL *,nsIInputStream *,int) [nsDocLoader.cpp:1474] test case: 2 files -- ========= page.html ============ <html><body> <TABLE nowrap cellpadding="2" cellspacing="0" border="0" width="600" bgcolor="#000000"> <TR align="center"> <TD valign="top" align="left"> <img src="http://static.wired.com/advertising/blipverts/univ_of_phoenix/468going.gif" BORDER=1 height=60 width=468 alt="Click here for the University of Phoenix Online">&nbsp; </TD> <td valign="top" align="left"> <img src="http://static.wired.com/advertising/blipverts/music_blvd/bill_12060.gif" BORDER=1 height=60 width=120 alt="Click here for Music Boulevard"> </td> </TR> </TABLE> </body></html> ======== test.html ========== <frameset rows="150,*,20%"> <frame src="file://s:/testcases/pages/hotwired/page.html" scrolling=no> <frame src="file://s:/testcases/ruler.gif"> <frame src="file://s:/testcases/ruler.gif" scrolling=no> </frameset>
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
All fixed with latest update to parser. You'll see the checkin on MOnday or so.
QA Contact: 3829
qa contact set to reporter for verify
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.