firefox-1.5.0.1,1 uses stack garbage for directory name [patch]

Don Lewis truckman at freebsd.org
Mon Feb 6 07:57:21 PST 2006


>Submitter-Id:	current-users
>Originator:	Don Lewis
>Organization:	totally disorganized
>Confidential:	no 
>Synopsis:	firefox-1.5.0.1,1 uses stack garbage for directory name [patch]
>Severity:	serious
>Priority:	medium
>Category:	ports
>Class:		sw-bug
>Release:	FreeBSD 4.11-STABLE i386
>Environment:
System: FreeBSD mousie.catspoiler.org 4.11-STABLE FreeBSD 4.11-STABLE #27: Sat Feb 4 05:21:17 PST 2006 dl at mousie.catspoiler.org:/usr/obj/usr/src/sys/GENERICDDB i386

	FreeBSD 4-STABLE, i386
>Description:
	Firefox-1.5.0.1,1 stores a directory name in a character array
	on the stack.  It saves a pointer to that character array and
	uses it to access the array contents after the array has gone
	out of scope.  The old contents seem to get trashed on 4-STABLE,
	causing firefox to create a subdirectory under ~/.mozilla with
	a name generated from stack garbage.

	This problem does not seem to occur on 7-STABLE.

>How-To-Repeat:
	Build and run firefox-1.5 on a 4-STABLE, i386 machine.
>Fix:

--- toolkit/xre/nsXREDirProvider.cpp.orig	Tue Oct  4 11:46:26 2005
+++ toolkit/xre/nsXREDirProvider.cpp	Sun Feb  5 23:54:31 2006
@@ -820,6 +820,7 @@
  
   char* appNameFolder = nsnull;
   char profileFolderName[MAXPATHLEN] = ".";
+  char temp[MAXPATHLEN];
  
   // Offset 1 for the outermost folder to make it hidden (i.e. using the ".")
   char* writing = profileFolderName + 1;
@@ -829,7 +830,6 @@
     rv = localDir->AppendNative(nsDependentCString(profileFolderName));
     NS_ENSURE_SUCCESS(rv, rv);
  
-    char temp[MAXPATHLEN];
     GetProfileFolderName(temp, gAppData->name);
     appNameFolder = temp;
   }



More information about the freebsd-gnome mailing list