Project: webrtc Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users
Status: Assigned
Owner:
User never visited
Cc:
Components:
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment
UNINITIALIZED READ in talk_base::IsDefaultBrowserFirefox running libjingle_unittests
Project Member Reported by zhaoqin@google.com, Apr 6 2014 Back to list
What steps will reproduce the problem?
1. ~/Workspace/DrMemory/builds/build_x86_drm_dbg.git/bin/drmemory.exe -pause_at_error -no_count_leaks -debug -callstack_max_frames 40 -- ./libjingle_unittest.exe --gtest_filter=AutoDetectProxyTest.TestDetectUnresolvedProxy

[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from AutoDetectProxyTest
[ RUN      ] AutoDetectProxyTest.TestDetectUnresolvedProxy
[000:003] GetProxySettingsForUrl(https://relay.google.com/) - start
~~1750652~~
~~1750652~~ Error #1: UNINITIALIZED READ: reading register eax
~~1750652~~ # 0 _towlower_l                                              [f:\dd\vctools\crt\crtw32\convert\towlower.c:40]
~~1750652~~ # 1 towlower                                                 [f:\dd\vctools\crt\crtw32\convert\towlower.c:96]
~~1750652~~ # 2 tolowercase                                              [d:\src\webrtc\trunk\talk\base\stringutils.h:122]
~~1750652~~ # 3 talk_base::IsDefaultBrowserFirefox                       [d:\src\webrtc\trunk\talk\base\proxydetect.cc:657]
~~1750652~~ # 4 talk_base::GetProxySettingsForUrl                        [d:\src\webrtc\trunk\talk\base\proxydetect.cc:1236]
~~1750652~~ # 5 talk_base::AutoDetectProxy::GetProxyForUrl               [d:\src\webrtc\trunk\talk\base\autodetectproxy.h:72]
~~1750652~~ # 6 talk_base::AutoDetectProxy::DoWork                       [d:\src\webrtc\trunk\talk\base\autodetectproxy.cc:62]
~~1750652~~ # 7 talk_base::SignalThread::Run                             [d:\src\webrtc\trunk\talk\base\signalthread.cc:152]
~~1750652~~ # 8 talk_base::SignalThread::Worker::Run                     [d:\src\webrtc\trunk\talk\base\signalthread.h:127]
~~1750652~~ # 9 talk_base::Thread::PreRun                                [d:\src\webrtc\trunk\talk\base\thread.cc:358]
~~1750652~~ #10 KERNEL32.dll!BaseThreadInitThunk


What version of the product are you using? On what operating system?
ToT code

Please provide any additional information below.
in the code
bool IsDefaultBrowserFirefox() {
  ...
  wchar_t* value = NULL;
  DWORD size, type;
  result = RegQueryValueEx(key, L"", 0, &type, NULL, &size);
  if (REG_SZ != type) {
    result = ERROR_ACCESS_DENIED;  // Any error is fine
  } else if (ERROR_SUCCESS == result) {
    value = new wchar_t[size+1];
    BYTE* buffer = reinterpret_cast<BYTE*>(value);
    result = RegQueryValueEx(key, L"", 0, &type, buffer, &size);
  }
  RegCloseKey(key);

  bool success = false;
  if (ERROR_SUCCESS == result) {
    value[size] = L'\0';
    for (size_t i = 0; i < size; ++i) {
      value[i] = tolowercase(value[i]);
    }
    success = (NULL != strstr(value, L"firefox.exe"));
  }

The uninit happens at accessing value[i] while calling tolowercase.

In windbg:
0:001> dv
              i = 0x38
         result = 0
           size = 0x70
        success = false
            key = 0x00000136
           type = 1
          value = 0x03071528 ""d:\src\chrome\src\out\debug\browser_tests.exe" -- "%1""

size is the value returned from
  result = RegQueryValueEx(key, L"", 0, &type, buffer, &size);
and 0x70 is the number of bytes written to buffer.

Because value is a wchar_t array, each element has two bytes, on loop
  for (size_t i = 0; i < size; ++i), 
it iterates over the value array, which has 0x70 elements but with only 0x38 (0x70/2) elements initialized. Any read beyond value[0x37] are reading uninitialized value.
 
Comment 2 by hellner@google.com, Apr 7 2014
Owner: juberti@webrtc.org
The code was added in internal repo in cl 3513584, 8 years ago. Sending this to Justin for triage.
Project Member Comment 3 by juberti@webrtc.org, Dec 16 2014
Labels: Area-Network
Project Member Comment 4 by pthatcher@webrtc.org, Jan 6 2015
Labels: EngTriaged
Owner: decurtis@webrtc.org
Status: Assigned
Project Member Comment 5 by pthatcher@webrtc.org, Nov 8 2016
Labels: Pri-3
Sign in to add a comment