Closed
Bug 86488
Opened 23 years ago
Closed 23 years ago
buffer overrun in macintosh collation code
Categories
(Core :: Internationalization, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.2
People
(Reporter: nhottanscp, Assigned: nhottanscp)
References
Details
(Keywords: crash, intl, Whiteboard: wait for tree open to check in)
Attachments
(2 files)
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
application/octet-stream
|
Details |
There is a problem in Macintosh collation code. The problem is the length of
'key' does not contain one byte for a nul terminator. It should not use strcpy
which also copies the terminator since the key may not large enough.
http://lxr.mozilla.org/seamonkey/source/intl/locale/src/mac/nsCollationMac.cpp#2
32
232 // No CJK support, just copy the row string.
233 strcpy((char *) key, str);
234 while (*key) {
235 if ((unsigned char) *key < 128) {
236 key++;
237 }
|
Assignee | |
Comment 1•23 years ago
|
||
JA localized build crashes at start up because of this problem.
It it also reproducible with US build by modifying charsetTitles.properties with
the following strings.
chardet.off.title = \uff08\u30aa\u30d5\uff09
chardet.alis_charset_detector.title = \u3059\u3079\u3066
chardet.ja_parallel_state_machine.title = \u65e5\u672c\u8a9e
chardet.ko_parallel_state_machine.title = \u97d3\u56fd\u8a9e
chardet.zhtw_parallel_state_machine.title = \u7e41\u4f53\u4e2d\u56fd\u8a9e
chardet.zhcn_parallel_state_machine.title = \u7c21\u4f53\u4e2d\u56fd\u8a9e
chardet.zh_parallel_state_machine.title = \u4e2d\u56fd\u8a9e
chardet.cjk_parallel_state_machine.title = \u6771\u30a2\u30b8\u30a2
chardet.ruprob.title = \u30ed\u30b7\u30a2\u8a9e
chardet.ukprob.title =
\u30a6\u30af\u30e9\u30a4\u30ca\u8a9e
Other places which uses collation have the same problem potentially.. It is used
by mail sort and addressbook sort.
|
|
Assignee | |
Comment 2•23 years ago
|
||
|
||
Comment 3•23 years ago
|
||
r=ftang
|
|
||
Updated•23 years ago
|
Whiteboard: need sr= and a=
|
|
Assignee | |
Comment 4•23 years ago
|
||
|
|
Assignee | |
Comment 5•23 years ago
|
||
I can reproduce the crash in mail by using the attached data.
It contains the message subjects with the same strings as used for
auto-detection names in JA localized build.
Launch the mail client and click the subject tab a couple of times to sort the
messages.
It crashes either when I click the tab or when I quit the app.
I used today's trunk ppc build (2001-06-18-08-trunk).
It does not crash when I use a dll which includes my patch.
|
|
||
Comment 7•23 years ago
|
||
change status to "ask sfraser to sr= 6/19 9:45 , aslo need a="
Whiteboard: need sr= and a= → ask sfraser to sr= 6/19 9:45 , aslo need a=
|
||
Comment 8•23 years ago
|
||
Changing QA contact to marina@netscape.com and copying ji@netscape.com.
QA Contact: andreasb → marina
|
||
Comment 9•23 years ago
|
||
sr=sfraser
|
|
Assignee | |
Updated•23 years ago
|
Whiteboard: ask sfraser to sr= 6/19 9:45 , aslo need a= → need a=
|
||
Comment 10•23 years ago
|
||
a= asa@mozilla.org for checkin to the trunk.
(on behalf of drivers)
|
|
||
Updated•23 years ago
|
Whiteboard: need a= → wait for tree open to check in
|
|
||
Updated•23 years ago
|
QA Contact: andreasb → marina
|
|
Assignee | |
Comment 11•23 years ago
|
||
checked in
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•23 years ago
|
||
*** Bug 86173 has been marked as a duplicate of this bug. ***
|
||
Comment 13•23 years ago
|
||
using Naoki's folder sorted ja data in it without a crash ( used 06-28-01
branch), marking verified as fixed
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•