Closed
Bug 6398
Opened 26 years ago
Closed 26 years ago
nsPersistentFileDescriptor overwrites buffer!
Categories
(Core :: XPCOM, defect, P2)
Tracking
()
VERIFIED
FIXED
M7
People
(Reporter: jim_nance, Assigned: mcmullen)
Details
(Whiteboard: Easy safe fix, but xpcom/base reorg prevents checkins.)
Attachments
(2 files)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
Details | Diff | Splinter Review |
The attached patche fixes a bug I found with purify. The initial problem
is that the method:
operator >>(nsInputStream&,nsPersistentFileDescriptor&)
reads a string into a char* but does not null terminate it. We use this
string on line 62 of nsFileSpecStreaming.cpp and the lack of a null terminator
causes the program to run past the end of our string. This is easy enough
to fix by null terminating the string, and thats one thing this patch does.
The next thing I noticed is that the place where we are running off the end
of the string is in a copy constructor that seems to be totally unnecessary.
If you follow the code what happens when we make the call:
d.SetData(bigBuffer, bytesRead);
is that bigBuffer is automatically turned into a nsSimpleCharString for the
SetData method, and inside the SetData method, it is immediatly cast back into
a char*. I added another SetData method which takes a char* instead of an
nsSimpleCharString, and this eleminates the creation of a temporary
nsSimpleCharString.
Severity: minor → normal
Status: NEW → ASSIGNED
Component: Profile Manager → XP File Handling
Priority: P3 → P2
Hardware: Sun → All
Summary: Fix for UMR found by Purify → nsPersistentFileDescriptor overwrites buffer!
Target Milestone: M6
I presume you want me to do the honors? Accepting bug, with thanks.
Changing component to XP File Handling, target to M6
Changing summary from "Fix for UMR found by Purify" to
"nsPersistentFileDescriptor overwrites buffer!". Changing severity to "normal",
priority to P2, platform to "All".
Comment 3•26 years ago
|
||
John, I think you'll find this bug to be very very similar to a previous one
I'd discussed with you where the temporary resolution was a memset() to 0
ifdef'd for Solaris.
Bruce, that bug concerned an apparent reading (by _fullpath) of a buffer whose
first byte had been set to zero. I'm not sure there's more than the most
superficial resemblance here. Please enlighten me.
Whiteboard: Easy safe fix, but xpcom/base reorg prevents checkins.
Target Milestone: M6 → M7
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Updated•26 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•26 years ago
|
||
code fix
Comment 9•25 years ago
|
||
Bulk moving to XPCOM, in preparation for removal of XP File Handling component.
(XPFH has received two bugs in ~5 months, and is no longer in active use.)
Component: XP File Handling → XPCOM
You need to log in
before you can comment on or make changes to this bug.
Description
•