Closed
Bug 3791
Opened 26 years ago
Closed 25 years ago
[DOGFOOD]ABR: Image upload
Categories
(Core :: Graphics: ImageLib, defect, P3)
Core
Graphics: ImageLib
Tracking
()
M12
People
(Reporter: bruce, Assigned: pnunn)
Details
(Whiteboard: [PDT-])
Sample/demo #8 in viewer. attach a file (apparently an image, i can't read the
name of the file in the form) and submit the form. Pull, build from March 15,
1999.
**** Purify instrumented ./viewer.pure (pid 27448) ****
ABR: Array bounds read:
* This is occurring while in:
memcpy [rtlib.o]
NET_BACat [nsNetStubs.cpp:2073]
il_gif_write(il_container_struct*,const unsigned char*,int)
[gif.cpp:1102]
IL_StreamWrite(il_container_struct*,const unsigned char*,int)
[if.cpp:809]
NetReaderImpl::Write(const unsigned char*,int) [ilNetReader.cpp:92]
ImageConsumer::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int)
[nsImageNetContextAsync.cpp:233]
nsDocumentBindInfo::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned
int) [nsDocLoader.cpp:1783]
stub_put_block(_NET_StreamClass*,const char*,int)
[nsStubContext.cpp:647]
net_MemCacheWrite [mkmemcac.c:664]
net_pull_http_data [mkhttp.c:3097]
net_ProcessHTTP [mkhttp.c:3489]
NET_ProcessNet [mkgeturl.c:3371]
NET_PollSockets [mkselect.c:320]
nsNetlibService::NetPollSocketsCallback(nsITimer*,void*)
[nsNetService.cpp:1217]
TimerImpl::FireTimeout() [nsTimer.cpp:73]
nsTimerExpired [nsTimer.cpp:189]
g_timeout_dispatch [gmain.c:1147]
g_main_dispatch [gmain.c:647]
g_main_iterate [gmain.c:854]
g_main_run [gmain.c:912]
gtk_main [gtkmain.c:475]
nsAppShell::Run() [nsAppShell.cpp:152]
nsNativeViewerApp::Run() [nsGTKMain.cpp:42]
main [nsGTKMain.cpp:97]
_start [crt1.o]
* Reading 30 bytes from 0x617240 in the heap (1 byte at 0x61725d illegal).
* Address 0x617240 is at the beginning of a malloc'd block of 29 bytes.
* This block was allocated from:
malloc [rtlib.o]
realloc [rtlib.o]
PR_Realloc [prmem.c:57]
NET_BACat [nsNetStubs.cpp:2060]
il_gif_write(il_container_struct*,const unsigned char*,int)
[gif.cpp:1481]
IL_StreamWrite(il_container_struct*,const unsigned char*,int)
[if.cpp:809]
NetReaderImpl::Write(const unsigned char*,int) [ilNetReader.cpp:92]
ImageConsumer::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned int)
[nsImageNetContextAsync.cpp:233]
nsDocumentBindInfo::OnDataAvailable(nsIURL*,nsIInputStream*,unsigned
int) [nsDocLoader.cpp:1783]
stub_put_block(_NET_StreamClass*,const char*,int)
[nsStubContext.cpp:647]
net_MemCacheWrite [mkmemcac.c:664]
net_pull_http_data [mkhttp.c:3097]
net_ProcessHTTP [mkhttp.c:3489]
NET_ProcessNet [mkgeturl.c:3371]
NET_PollSockets [mkselect.c:320]
nsNetlibService::NetPollSocketsCallback(nsITimer*,void*)
[nsNetService.cpp:1217]
TimerImpl::FireTimeout() [nsTimer.cpp:73]
nsTimerExpired [nsTimer.cpp:189]
g_timeout_dispatch [gmain.c:1147]
g_main_dispatch [gmain.c:647]
g_main_iterate [gmain.c:854]
g_main_run [gmain.c:912]
gtk_main [gtkmain.c:475]
nsAppShell::Run() [nsAppShell.cpp:152]
nsNativeViewerApp::Run() [nsGTKMain.cpp:42]
main [nsGTKMain.cpp:97]
_start [crt1.o]
Reporter | ||
Comment 1•26 years ago
|
||
The fix to this isn't obvious. The problem is that when passing the size of the
image into NET_BACat(), you really want it one larger, so you can tack the '0'
onto the end (ic->comment[ic->comment_length] = 0;) The problem here is that if
you pass in 'gs->count + 1' as you do currently, you copy one byte extra of data
(causig the ABR). If you pass in just 'gs->count', then you get an array bounds
write when you assign ic->comment[ic->comment_length] = 0. Yuck. Not sure of
the fix, but hope the diagnosis can save some time.
Updated•26 years ago
|
Target Milestone: M9 → M10
Comment 3•26 years ago
|
||
-> m10
Updated•25 years ago
|
Whiteboard: [PDT-]
Comment 5•25 years ago
|
||
PDT team says since you have a fix... check it in RSN.
Thanks
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•25 years ago
|
||
Developer-level bug; rubber-stamping as verified.
You need to log in
before you can comment on or make changes to this bug.
Description
•