|
If you were logged in you would be able to see more operations.
|
|
|
|
|
| Component/s: |
Crashes
|
| Affects Version/s: |
1.19.1 Release Candidate
|
| Fix Version/s: |
None
|
|
|
There are two stack corruption errors in function "LLMIMETypes::parseMIMETypes" due to improper pointer casting. Both of them were detected automatically by the "Basic Runtime Checks" compiler option of Visual C++ 7.1.
It is wrong to cast a pointer to the C++ type 'bool' to a pointer to the 'BOOL' type (which is just an integer) and perform a read/write access. The C++ 'bool' type is usually just one byte in size while the 'BOOL' type usually needs 4 bytes. The called function will therefore write its result into a 'BOOL' type (actually an integer with 4 bytes) while the storage which was allocated by the compiler is though only 1 byte in size. Thus, the stack gets corrupted near the 'LLMIMEWidgetSet info' variable.
I admit that I do not have an answer why this does not crash in the official RC build yet. It depends of course of stack layout, compiler alignment options, etc. whether this stack corruption occurs eventually. But, please be aware, that even if that bug does not yet cause any crash in the official released RC, it is nevertheless a time bomb which will sooner or later lead to a crash even in your builds.
Regards :-)
The fix for this issue could be applied as shown below
bool LLMIMETypes::parseMIMETypes(const LLString& xml_filename)
{
...
...
...
}
else if (node->hasName("widgetset"))
{
...
...
...
if (child->hasName("allow_resize"))
{
BOOL bValue;
child->getBoolValue( 1, &bValue );
info.mAllowResize = (bool)bValue;
}
if (child->hasName("allow_looping"))
{
BOOL bValue;
child->getBoolValue( 1, &bValue );
info.mAllowLooping = (bool)bValue;
}
...
...
...
|
|
Description
|
There are two stack corruption errors in function "LLMIMETypes::parseMIMETypes" due to improper pointer casting. Both of them were detected automatically by the "Basic Runtime Checks" compiler option of Visual C++ 7.1.
It is wrong to cast a pointer to the C++ type 'bool' to a pointer to the 'BOOL' type (which is just an integer) and perform a read/write access. The C++ 'bool' type is usually just one byte in size while the 'BOOL' type usually needs 4 bytes. The called function will therefore write its result into a 'BOOL' type (actually an integer with 4 bytes) while the storage which was allocated by the compiler is though only 1 byte in size. Thus, the stack gets corrupted near the 'LLMIMEWidgetSet info' variable.
I admit that I do not have an answer why this does not crash in the official RC build yet. It depends of course of stack layout, compiler alignment options, etc. whether this stack corruption occurs eventually. But, please be aware, that even if that bug does not yet cause any crash in the official released RC, it is nevertheless a time bomb which will sooner or later lead to a crash even in your builds.
Regards :-)
The fix for this issue could be applied as shown below
bool LLMIMETypes::parseMIMETypes(const LLString& xml_filename)
{
...
...
...
}
else if (node->hasName("widgetset"))
{
...
...
...
if (child->hasName("allow_resize"))
{
BOOL bValue;
child->getBoolValue( 1, &bValue );
info.mAllowResize = (bool)bValue;
}
if (child->hasName("allow_looping"))
{
BOOL bValue;
child->getBoolValue( 1, &bValue );
info.mAllowLooping = (bool)bValue;
}
...
...
...
|
Show » |
|
Bug
Fix Pending
Normal
Stack Corruption in "LLMIMETypes::parseMIMETypes"