Closed Bug 3791 Opened 26 years ago Closed 25 years ago

[DOGFOOD]ABR: Image upload

Categories

(Core :: Graphics: ImageLib, defect, P3)

defect

Tracking

()

VERIFIED DUPLICATE of bug 17781

People

(Reporter: bruce, Assigned: pnunn)

Details

(Whiteboard: [PDT-])

Sample/demo #8 in viewer. attach a file (apparently an image, i can't read the name of the file in the form) and submit the form. Pull, build from March 15, 1999. **** Purify instrumented ./viewer.pure (pid 27448) **** ABR: Array bounds read: * This is occurring while in: memcpy [rtlib.o] NET_BACat [nsNetStubs.cpp:2073] il_gif_write(il_container_struct*,const unsigned char*,int) [gif.cpp:1102] IL_StreamWrite(il_container_struct*,const unsigned char*,int) [if.cpp:809] NetReaderImpl::Write(const unsigned char*,int) [ilNetReader.cpp:92] ImageConsumer::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int) [nsImageNetContextAsync.cpp:233] nsDocumentBindInfo::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int) [nsDocLoader.cpp:1783] stub_put_block(_NET_StreamClass*,const char*,int) [nsStubContext.cpp:647] net_MemCacheWrite [mkmemcac.c:664] net_pull_http_data [mkhttp.c:3097] net_ProcessHTTP [mkhttp.c:3489] NET_ProcessNet [mkgeturl.c:3371] NET_PollSockets [mkselect.c:320] nsNetlibService::NetPollSocketsCallback(nsITimer*,void*) [nsNetService.cpp:1217] TimerImpl::FireTimeout() [nsTimer.cpp:73] nsTimerExpired [nsTimer.cpp:189] g_timeout_dispatch [gmain.c:1147] g_main_dispatch [gmain.c:647] g_main_iterate [gmain.c:854] g_main_run [gmain.c:912] gtk_main [gtkmain.c:475] nsAppShell::Run() [nsAppShell.cpp:152] nsNativeViewerApp::Run() [nsGTKMain.cpp:42] main [nsGTKMain.cpp:97] _start [crt1.o] * Reading 30 bytes from 0x617240 in the heap (1 byte at 0x61725d illegal). * Address 0x617240 is at the beginning of a malloc'd block of 29 bytes. * This block was allocated from: malloc [rtlib.o] realloc [rtlib.o] PR_Realloc [prmem.c:57] NET_BACat [nsNetStubs.cpp:2060] il_gif_write(il_container_struct*,const unsigned char*,int) [gif.cpp:1481] IL_StreamWrite(il_container_struct*,const unsigned char*,int) [if.cpp:809] NetReaderImpl::Write(const unsigned char*,int) [ilNetReader.cpp:92] ImageConsumer::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int) [nsImageNetContextAsync.cpp:233] nsDocumentBindInfo::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int) [nsDocLoader.cpp:1783] stub_put_block(_NET_StreamClass*,const char*,int) [nsStubContext.cpp:647] net_MemCacheWrite [mkmemcac.c:664] net_pull_http_data [mkhttp.c:3097] net_ProcessHTTP [mkhttp.c:3489] NET_ProcessNet [mkgeturl.c:3371] NET_PollSockets [mkselect.c:320] nsNetlibService::NetPollSocketsCallback(nsITimer*,void*) [nsNetService.cpp:1217] TimerImpl::FireTimeout() [nsTimer.cpp:73] nsTimerExpired [nsTimer.cpp:189] g_timeout_dispatch [gmain.c:1147] g_main_dispatch [gmain.c:647] g_main_iterate [gmain.c:854] g_main_run [gmain.c:912] gtk_main [gtkmain.c:475] nsAppShell::Run() [nsAppShell.cpp:152] nsNativeViewerApp::Run() [nsGTKMain.cpp:42] main [nsGTKMain.cpp:97] _start [crt1.o]
The fix to this isn't obvious. The problem is that when passing the size of the image into NET_BACat(), you really want it one larger, so you can tack the '0' onto the end (ic->comment[ic->comment_length] = 0;) The problem here is that if you pass in 'gs->count + 1' as you do currently, you copy one byte extra of data (causig the ABR). If you pass in just 'gs->count', then you get an array bounds write when you assign ic->comment[ic->comment_length] = 0. Yuck. Not sure of the fix, but hope the diagnosis can save some time.
Status: NEW → ASSIGNED
Target Milestone: M5
Target Milestone: M5 → M6
Target Milestone: M6 → M8
Target Milestone: M8 → M9
pushing to m9.
Target Milestone: M9 → M10
-> m10
Target Milestone: M10 → M11
have a fix. Have to jump thru checkin hoops. -pn
Summary: ABR: Image upload → [DOGFOOD]ABR: Image upload
Whiteboard: [PDT-]
PDT team says since you have a fix... check it in RSN. Thanks
Target Milestone: M11 → M12
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
bug 17781 describes how to fix this. This hasn't been checked in because the mac is temperamental. -pn *** This bug has been marked as a duplicate of 17781 ***
Status: RESOLVED → VERIFIED
Developer-level bug; rubber-stamping as verified.
You need to log in before you can comment on or make changes to this bug.