mozblame suggests that ftang and dougt are the hackers here.
http://lxr.mozilla.org/seamonkey/source/xpcom/io/nsLocalFileWin.cpp#702
This code is unsafe. It fails to check for a null return value
then increments that return value and uses it. I suspect that the
code does not take into account some valid path form.
Please file a bug against xpcom and (at least) cc dougt and
ftang.
Thanks,
John.
Jerry Baker wrote:
>
> strchr() line 77
> _mbschr(const unsigned char * 0x00000001, unsigned int 92) line 52 + 13 bytes
> nsLocalFile::Create(nsLocalFile * const 0x028f2438, unsigned int 1, unsigned int
>509) line 705 + 12 bytes
> ProfileStruct::EnsureDirPathExists(nsILocalFile * 0x028f2438, int * 0x0012ee38) line
>1638 + 19 bytes
> ProfileStruct::InternalizeLocation(nsIRegistry * 0x0289c7f8, unsigned int 37027, int
>1, int 0) line 1567 + 27 bytes
> nsProfileAccess::Get4xProfileInfo(const char * 0x0012f844) line 1099 + 31 bytes
> nsProfile::MigrateProfileInfo(nsProfile * const 0x028aca28) line 1643 + 18 bytes
> nsProfile::ProcessArgs(nsICmdLineService * 0x028b0d20, int * 0x0012fc0c, nsCString &
>{...}) line 723 + 18 bytes
> nsProfile::StartupWithArgs(nsProfile * const 0x028aca28, nsICmdLineService *
>0x028b0d20) line 359 + 20 bytes
> InitializeProfileService(nsICmdLineService * 0x028b0d20) line 781 + 36 bytes
> main1(int 1, char * * 0x004a7ba0, nsISupports * 0x00000000) line 943 + 14 bytes
> main(int 1, char * * 0x004a7ba0) line 1272 + 37 bytes
> mainCRTStartup() line 338 + 17 bytes
> KERNEL32! 77e992a6()
