Closed
Bug 709483
Opened 13 years ago
Closed 13 years ago
Off-by-one in dom/base/nsDOMClassInfo.cpp
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla11
People
(Reporter: decoder, Assigned: decoder)
References
Details
(Whiteboard: [asan])
Attachments
(1 file, 3 obsolete files)
|
1.07 KB,
patch
|
decoder
:
review+
|
Details | Diff | Splinter Review |
I've been experimenting with address sanitizer and it triggered a startup crash in dom/base/nsDOMClassInfo.cpp, related to the "interface compacting" in the macro DOM_CLASS_MAPINFO_END.
The code looks as follows (fprintf added by me because gdb was being unfriendly):
/* Compact the interface list */
size_t count = ArrayLength(interface_list);
fprintf(stderr, "Initial count is: %lu\n", count);
/* count is the number of array entries, which is one greater than the */
/* number of interfaces due to the terminating null */
for (size_t i = 0; i < count - 1; ++i) {
fprintf(stderr, "Current count is: %lu %lu\n", count, i);
if (!interface_list[i]) {
fprintf(stderr, "Performing memmove\n");
memmove(&interface_list[i], &interface_list[i+1],
sizeof(nsIID*) * (count - i));
/* Make sure to examine the new pointer we ended up with at this */
/* slot, since it may be null too */
--i;
--count;
}
}
With this code I get:
Initial count is: 8
Current count is: 8 0
Current count is: 8 1
Current count is: 8 2
Current count is: 8 3
Current count is: 8 4
Current count is: 8 5
Current count is: 8 6
Performing memmove
==5011== ERROR: AddressSanitizer global-buffer-overflow on address 0x7ff38a77d8c7 at pc 0x7ff385dc5000 bp 0x7fff9b0d8e50 sp 0x7fff9b0d8e48
READ of size 1 at 0x7ff38a77d8c7 thread T0
As far as I can see, with count=8 and i=6, the memmove will move 2 entries (interface_list[i+1] and interface_list[i+2]) where the second is off-by-one. I fixed this by using sizeof(nsIID*) * (count - i - 1) instead.
Can somebody with more knowledge of this code area confirm and fix this?
|
||
Comment 2•13 years ago
|
||
Comment on attachment 581126 [details] [diff] [review] Patch Yeah, good catch. And really sorry for the lag here! I'd prefer we write that as |count - (i + 1)| with a comment about how the number of entries we have examined so far is i+1. r=me with that.
Attachment #581126 -
Flags: review?(bzbarsky) → review+
|
Assignee | |
Comment 3•13 years ago
|
||
Updated patch according to comments, carrying r+ from last review.
Attachment #581126 -
Attachment is obsolete: true
Attachment #581589 -
Flags: review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
This time it's really the updated patch ;) r+ from previous review.
Attachment #581589 -
Attachment is obsolete: true
Attachment #581590 -
Flags: review+
|
|
Assignee | |
Updated•13 years ago
|
Keywords: checkin-needed
|
|
||
Comment 5•13 years ago
|
||
Comment on attachment 581590 [details] [diff] [review] Updated patch Actually, instead of "(i+1)-th element" it would be better to say "element at index i+1". That way there's no confusion about 1-based vs 0-based counting.... Note that my proposed wording explicitly avoided the basing issue by talking abotu the number of elements we have examined. I'd still prefer that wording.
|
|
Assignee | |
Comment 6•13 years ago
|
||
Updated once more for the comment, r+ from last patch :)
Attachment #581590 -
Attachment is obsolete: true
Attachment #581693 -
Flags: review+
|
||
Comment 7•13 years ago
|
||
'i+1' -> 'i + 1' 4 times, please.
|
|
||
Comment 8•13 years ago
|
||
For future reference, it would be really nice to have a User line and checkin comment in the diff! https://hg.mozilla.org/mozilla-central/rev/a3f62505cd16
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•