This happens on the 3.6 tip with the attached cert database when doing "certutil -d . -L", even with a brand new key db. PR_Lock(PRLock * 0x12f8dc00) line 235 + 3 bytes nss_ZRealloc(void * 0x0012fd0c, unsigned int 128) line 1084 + 15 bytes find_objects(NSSTokenStr * 0x004dbfe8, nssSessionStr * 0x00000000, CK_ATTRIBUTE * 0x0012fdac, unsigned long 2, unsigned int 0, int * 0x0012fe00) line 449 + 16 bytes find_objects_by_template(NSSTokenStr * 0x004dbfe8, nssSessionStr * 0x00000000, CK_ATTRIBUTE * 0x0012fdac, unsigned long 2, unsigned int 0, int * 0x0012fe00) line 519 + 29 bytes nssToken_FindCertificates(NSSTokenStr * 0x004dbfe8, nssSessionStr * 0x00000000, int 2, unsigned int 0, int * 0x0012fe00) line 653 + 29 bytes PK11_TraverseCertsInSlot(PK11SlotInfoStr * 0x004d9d00, int (CERTCertificateStr *, void *)* 0x00243f04 listCertsCallback(CERTCertificateStr *, void *), void * 0x004e2b80) line 2801 + 21 bytes PK11_ListCertsInSlot(PK11SlotInfoStr * 0x004d9d00) line 3443 + 18 bytes listCerts(NSSTrustDomainStr * 0x004d3ca8, char * 0x00000000, PK11SlotInfoStr * 0x004d9d00, int 0, int 0, PRFileDesc * 0x00495538, void * 0x0012fef8) line 603 + 9 bytes ListCerts(NSSTrustDomainStr * 0x004d3ca8, char * 0x00000000, PK11SlotInfoStr * 0x004d9d00, int 0, int 0, PRFileDesc * 0x00495538, secuPWData * 0x0012fef8) line 640 + 33 bytes main(int 4, char * * 0x004925c0) line 2530 + 79 bytes CERTUTIL! mainCRTStartup + 227 bytes KERNEL32! 77e8d326()

Bob, please take a look at this bug. Thanks.

This case seems to only occur in certutil. Other clients must pass a maxOpt buffer in....

*** Bug 160276 has been marked as a duplicate of this bug. ***

Patch checked in

Thanks, Bob. It worked.

Comment on attachment 94653 [details] [diff] [review] Don't try to realloc on a static buffer. r=wtc. >+ PORT_Memcpy(objectHandles, staticObjects, >+ OBJECT_STACK_SIZE * sizeof(objectHandles[1])); The third argument can just be sizeof(staticObjects), but what you have here is correct, too.