Closed Bug 1018829 Opened 10 years ago Closed 10 years ago

Use-after-free at CSP Parser

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox31 --- unaffected
firefox32 + fixed
firefox-esr24 --- unaffected

People

(Reporter: m_kato, Assigned: m_kato)

References

Details

(Keywords: csectype-uaf, regression, sec-critical)

Attachments

(1 file)

Fix
3.01 KB, patch
geekboy
: review+
Details | Diff | Splinter Review
Attached patch FixSplinter Review 
This code is use-after-free.

const char16_t *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() };
...
// use formatParams

This code means,

const char16_t *formatParams[1];
{
  NS_ConvertUTF8toUTF16 unicodeSpec(newUrlSpec);
  formatParams[0] = unicodeSpec.get();
}
...
// use formatParams

So formatParams[0] becomes use-after-free.
Assignee: nobody → m_kato
Attachment #8432348 - Flags: review?(sstamm)
The code in question landed for FF32 in bug 951457.
Blocks: 951457
status-firefox31: --- → unaffected
status-firefox32: --- → affected
tracking-firefox32: --- → +
Keywords: csectype-uaf, sec-critical
Comment on attachment 8432348 [details] [diff] [review]
Fix

Review of attachment 8432348 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.  We had similar bugs in nsCSPContext.cpp, but fixed those before landing.  Must've missed these... luckily nsCSPParser.cpp is not active code unless you set a pref (it's not enabled yet).
Attachment #8432348 - Flags: review?(sstamm) → review+
Looked at all the CSP code we landed. cspUtils and cspContext are fine. The proposed patch (dis)covers all the problems where that problem occurs.
https://hg.mozilla.org/mozilla-central/rev/04dd691d5f59
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox32: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Marking qe-verify- due to lack of test case or STR. Please feel free to provide if you'd like this bug to be verified. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: