Closed Bug 293992 Opened 20 years ago Closed 20 years ago

printf passed user controlled buffer

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(4 obsolete files)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclib/html/_crt_printf.2c_.wprintf.asp Security Note Ensure that format is not a user-defined string. FAULTING_IP: MSVCR71D!_output+5dd [r:\msvc71.net\vc7\crt\src\output.c @ 699] 002846bd 0fb711 movzx edx,word ptr [ecx] EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 002846bd (MSVCR71D!_output+0x000005dd) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000001 Attempt to read from address 00000001 FAULTING_THREAD: 0000aa74 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: mozilla.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00000001 BUGCHECK_STR: ACCESS_VIOLATION THREAD_ATTRIBUTES: LAST_CONTROL_TRANSFER: from 002b8a45 to 002846bd STACK_TEXT: 029ded80 002b8a45 002ec858 06c198e7 029dede8 MSVCR71D!_output+0x5dd [r:\msvc71.net\vc7\crt\src\output.c @ 699] 029dedc4 00e98b61 06c11ca0 06c11ca0 029dedf4 MSVCR71D!printf+0x85 [r:\msvc71.net\vc7\crt\src\printf.c @ 63] 029dedd4 00ebcd33 06816778 00000001 00000001 xpc3250!xpc_DumpJSStack+0x31 [r:\mozilla\js\src\xpconnect\src\xpcdebug.cpp @ 299] 029dedf4 00ebce53 029dee08 00eed198 0681cb08 xpc3250!DEBUG_ReportWrapperThreadSafetyError+0xb3 [r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2988] 029def00 00e7f5d7 0681cb08 029def64 06816778 xpc3250!DEBUG_CheckWrapperThreadSafety+0xc3 [r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 3017] 029def18 00ec5c63 00000001 06816778 068040c8 xpc3250!XPCCallContext::XPCCallContext+0x2d7 [r:\mozilla\js\src\xpconnect\src\xpccallcontext.cpp @ 149] 029defe4 00d9c95d 06816778 068040c8 00000002 xpc3250!XPC_WN_CallMethod+0x73 [r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1302] 029df114 00dac07b 06816778 00000002 00000000 js3250!js_Invoke+0xcad [r:\mozilla\js\src\jsinterp.c @ 1320] input: format 0x06c11ca0 "0 [native frame].1 ConnectionHandler_Run() ["file:///C:/Documents%20and%20Settings/qaUser/Desktop/b1352/all/components/hsProxy.js":903]. line = "". splitUp = GET http://www.google.com/search?hl=en&q=hello HTTP/1.0,GET,http://www.google.com/search?hl=en&q=hello,HTTP/1.0. type = "GET". origURL = "http://www.google.com/search?hl=en&q=hello". URL = "/search?hl=en&q=hello". httpVersion = "HTTP/1.0". host = "www.google.com". port = 80. str = undefined. pcs = undefined. err = undefined. good = undefined. hostpart = http://www.google.com/search?hl=en&q=hello,www.google.com,/search?hl=en&q=hello. pm = null. proxyInfo = null. proxyService = [xpconnect wrapped nsIProtocolProxyService @ 0x6790558]. ios = [xpconnect wrapped nsIIOService @ 0x4edeee0]. uri = [xpconnect wrapped nsIURI @ 0x6bc6a70]. requestBody = "". requestBodyLength = 0. lengthLine = undefined. rblmatch = undefined. cxn = [xpconnect wrapped nsISocketTransport @ 0x6bd5a60].
Summary: printf passed user controlled buffer → printf passed user controlled buffer
Attachment #183497 - Flags: superreview?(shaver)
Attachment #183497 - Flags: review?(shaver)
Attachment #183497 - Flags: approval1.8b2?
Comment on attachment 183497 [details] [diff] [review] don't pass arbitrary buffer as format string to printf... There's no need to use printf here. puts, please.
Attachment #183497 - Flags: superreview?(shaver)
Attachment #183497 - Flags: superreview-
Attachment #183497 - Flags: review?(shaver)
Attachment #183497 - Flags: review-
Attachment #183497 - Flags: approval1.8b2?
Attachment #183497 - Attachment is obsolete: true
Attachment #183508 - Flags: superreview?(shaver)
Attachment #183508 - Flags: review?(shaver)
Attachment #183508 - Flags: approval1.8b2?
Comment on attachment 183508 [details] [diff] [review] don't pass fixed buffers to printf puts adds a newline, so that's probably not what we want to do for all of these. Use fputs to stdout (with the horrible argument order; ah, C) for the buffers from other sources that already contain newlines, and strip them from the literals, I guess. (Also: stop asking for approval until you get review.)
Attachment #183508 - Flags: superreview?(shaver)
Attachment #183508 - Flags: superreview-
Attachment #183508 - Flags: review?(shaver)
Attachment #183508 - Flags: review-
Attachment #183508 - Flags: approval1.8b2?
Attached file (obsolete) —
Attachment #183509 - Flags: review?(shaver)
Attachment #183508 - Attachment is obsolete: true
Attachment #183510 - Flags: review?(shaver)
Attachment #183509 - Attachment description: don't pass fixed buffers to printf →
Attachment #183509 - Attachment is obsolete: true
Attachment #183509 - Attachment is patch: false
Attachment #183509 - Flags: review?(shaver)
Comment on attachment 183510 [details] [diff] [review] don't pass fixed buffers to printf r=shaver.
Attachment #183510 - Flags: review?(shaver) → review+
Attachment #183510 - Flags: superreview+
Attachment #183510 - Flags: approval1.8b2?
Attachment #183510 - Flags: approval1.8b2? → approval1.8b2+
Comment on attachment 183510 [details] [diff] [review] don't pass fixed buffers to printf 2005-05-23 14:00 mozilla/js/src/xpconnect/src/xpcdebug.cpp 1.14
Attachment #183510 - Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: