Closed
Bug 1018829
Opened 10 years ago
Closed 10 years ago
Use-after-free at CSP Parser
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | + | fixed |
firefox-esr24 | --- | unaffected |
People
(Reporter: m_kato, Assigned: m_kato)
References
Details
(Keywords: csectype-uaf, regression, sec-critical)
Attachments
(1 file)
3.01 KB,
patch
|
geekboy
:
review+
|
Details | Diff | Splinter Review |
This code is use-after-free. const char16_t *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() }; ... // use formatParams This code means, const char16_t *formatParams[1]; { NS_ConvertUTF8toUTF16 unicodeSpec(newUrlSpec); formatParams[0] = unicodeSpec.get(); } ... // use formatParams So formatParams[0] becomes use-after-free.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → m_kato
Assignee | ||
Updated•10 years ago
|
Attachment #8432348 -
Flags: review?(sstamm)
Comment 1•10 years ago
|
||
The code in question landed for FF32 in bug 951457.
Blocks: 951457
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
tracking-firefox32:
--- → +
Keywords: csectype-uaf,
sec-critical
Comment 2•10 years ago
|
||
Comment on attachment 8432348 [details] [diff] [review] Fix Review of attachment 8432348 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me. We had similar bugs in nsCSPContext.cpp, but fixed those before landing. Must've missed these... luckily nsCSPParser.cpp is not active code unless you set a pref (it's not enabled yet).
Attachment #8432348 -
Flags: review?(sstamm) → review+
Comment 3•10 years ago
|
||
Looked at all the CSP code we landed. cspUtils and cspContext are fine. The proposed patch (dis)covers all the problems where that problem occurs.
Assignee | ||
Comment 4•10 years ago
|
||
landed in m-i https://hg.mozilla.org/integration/mozilla-inbound/rev/04dd691d5f59
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/04dd691d5f59
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
Comment 6•10 years ago
|
||
Marking qe-verify- due to lack of test case or STR. Please feel free to provide if you'd like this bug to be verified. Thank you.
QA Whiteboard: qe-verify-
Updated•10 years ago
|
QA Whiteboard: qe-verify-
Flags: qe-verify-
Updated•10 years ago
|
Group: core-security
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•