Closed Bug 706249 Opened 13 years ago Closed 13 years ago

"ASSERTION: We've overflowed the mSpec buffer" in nsStandardURL::BuildNormalizedSpec

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox8 - wontfix
firefox9 - verified
firefox10 + verified
firefox11 + verified
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: jesup)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa!])

Attachments

(3 files)

testcase
24 bytes, text/html
Details
stack trace
2.53 KB, text/plain
Details
Patch with tests
4.84 KB, patch
bzbarsky
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file testcase 
###!!! ASSERTION: We've overflowed the mSpec buffer!: 'mSpec.Length() <= approxLen', file netwerk/base/src/nsStandardURL.cpp, line 697

The last major change to this function was in bug 125608.
Attached file stack trace 

    
    

    
  
Caused by the null password entry.  Could fix by omitting it if empty, but that would be a change in behavior and it's not clear if that would even be correct (i.e. a null password is a password), so enforce adding one byte for a password (for the ':') even if the field is empty.  Patch follows.
Assignee: nobody → rjesup
OS: Mac OS X → All
Hardware: x86_64 → All

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch with testsSplinter Review
      

    


  
Tested; asserts without code fix, no assert with it

        Attachment #577837 -
        Flags: review?(bzbarsky)

    
    

    
  
Worst-case analysis of this bug is it writes a '\0' to the byte following the allocation in some (not all) cases where the password is given but empty.

    
  
Whiteboard: [sg:critical]
blocking1.9.2: --- → ?

          status-firefox10:
          --- → affected

          status-firefox11:
          --- → affected

          status-firefox8:
          --- → wontfix

          status-firefox9:
          --- → wontfix

          tracking-firefox10:
          --- → +

          tracking-firefox11:
          --- → +

          tracking-firefox8:
          --- → -

          tracking-firefox9:
          --- → -

    
    

    
  
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

r=me

        Attachment #577837 -
        Flags: review?(bzbarsky) → review+
blocking1.9.2: ? → .25+

    
    

    
  
inbound via https://hg.mozilla.org/integration/mozilla-inbound/rev/8304db7e46bb

The original bug never existed in 1.9.x -> unaffected

Once it's green and merged to m-c I'll ask for approvals for Aurora and Beta
blocking1.9.2: .25+ → ---

          status1.9.2:
          wantedunaffected
Whiteboard: [sg:critical] → [sg:critical][inbound]

    
    

    
  
Merged to m-c
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][inbound] → [sg:critical]

    
    

    
  
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

Now in m-c; we should get it into aurora and beta soon

        Attachment #577837 -
        Flags: approval-mozilla-beta?

        Attachment #577837 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

[Triage Comment]
Please land this sg:crit bug on aurora/beta asap so that we can bake this on beta for ~2 weeks.

        Attachment #577837 -
        Flags: approval-mozilla-beta?

        Attachment #577837 -
        Flags: approval-mozilla-beta+

        Attachment #577837 -
        Flags: approval-mozilla-aurora?

        Attachment #577837 -
        Flags: approval-mozilla-aurora+

    
    

    
  
Aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/12c96ed8154d
Beta: https://hg.mozilla.org/releases/mozilla-beta/rev/9f3a16bf8afc

Tracking for FF9 was confused - it is affected, and it was also approved for beta, so marking fixed.  Didn't touch tracking (JST?)

          status-firefox10:
          affectedfixed

          status-firefox11:
          affectedfixed

          status-firefox9:
          wontfixfixed

    
  
Whiteboard: [sg:critical] → [sg:critical][qa+]

    
    

    
  
Verified fixed with the following tinderbox debug builds:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111214 Firefox/11.0a1

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111214 Firefox/10.0a2

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111212 Firefox/9.0

Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111208 Firefox/9.0

I was not able to check on Windows because all the tinderbox debug builds seem to be broken and I can't start those.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
Keywords: verified-aurora, 
          
            verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Target Milestone: --- → mozilla11

          status-firefox10:
          fixedverified

          status-firefox11:
          fixedverified

          status-firefox9:
          fixedverified
Keywords: verified-aurora, 
          
            verified-beta
Whiteboard: [sg:critical][qa!] → [sg:critical][qa-]
Whiteboard: [sg:critical][qa-] → [sg:critical][qa!]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: