Date: Mon, 6 Feb 2006 07:57:17 -0800 (PST) From: Don Lewis <truckman@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Cc: gnome@freebsd.org Subject: firefox-1.5.0.1,1 uses stack garbage for directory name [patch] Message-ID: <200602061557.k16FvHNC052734@mousie.catspoiler.org>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users
>Originator: Don Lewis
>Organization: totally disorganized
>Confidential: no
>Synopsis: firefox-1.5.0.1,1 uses stack garbage for directory name [patch]
>Severity: serious
>Priority: medium
>Category: ports
>Class: sw-bug
>Release: FreeBSD 4.11-STABLE i386
>Environment:
System: FreeBSD mousie.catspoiler.org 4.11-STABLE FreeBSD 4.11-STABLE #27: Sat Feb 4 05:21:17 PST 2006 dl@mousie.catspoiler.org:/usr/obj/usr/src/sys/GENERICDDB i386
FreeBSD 4-STABLE, i386
>Description:
Firefox-1.5.0.1,1 stores a directory name in a character array
on the stack. It saves a pointer to that character array and
uses it to access the array contents after the array has gone
out of scope. The old contents seem to get trashed on 4-STABLE,
causing firefox to create a subdirectory under ~/.mozilla with
a name generated from stack garbage.
This problem does not seem to occur on 7-STABLE.
>How-To-Repeat:
Build and run firefox-1.5 on a 4-STABLE, i386 machine.
>Fix:
--- toolkit/xre/nsXREDirProvider.cpp.orig Tue Oct 4 11:46:26 2005
+++ toolkit/xre/nsXREDirProvider.cpp Sun Feb 5 23:54:31 2006
@@ -820,6 +820,7 @@
char* appNameFolder = nsnull;
char profileFolderName[MAXPATHLEN] = ".";
+ char temp[MAXPATHLEN];
// Offset 1 for the outermost folder to make it hidden (i.e. using the ".")
char* writing = profileFolderName + 1;
@@ -829,7 +830,6 @@
rv = localDir->AppendNative(nsDependentCString(profileFolderName));
NS_ENSURE_SUCCESS(rv, rv);
- char temp[MAXPATHLEN];
GetProfileFolderName(temp, gAppData->name);
appNameFolder = temp;
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602061557.k16FvHNC052734>