Closed Bug 1018829 Opened 6 years ago Closed 6 years ago

Use-after-free at CSP Parser

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla32
Tracking Status
firefox31 --- unaffected
firefox32 + fixed
firefox-esr24 --- unaffected

People

(Reporter: m_kato, Assigned: m_kato)

References

Details

(Keywords: csectype-uaf, regression, sec-critical)

Attachments

(1 file)

Attached patch FixSplinter Review
This code is use-after-free.

const char16_t *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() };
...
// use formatParams

This code means,

const char16_t *formatParams[1];
{
  NS_ConvertUTF8toUTF16 unicodeSpec(newUrlSpec);
  formatParams[0] = unicodeSpec.get();
}
...
// use formatParams

So formatParams[0] becomes use-after-free.
Assignee: nobody → m_kato
Attachment #8432348 - Flags: review?(sstamm)
The code in question landed for FF32 in bug 951457.
Comment on attachment 8432348 [details] [diff] [review]
Fix

Review of attachment 8432348 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.  We had similar bugs in nsCSPContext.cpp, but fixed those before landing.  Must've missed these... luckily nsCSPParser.cpp is not active code unless you set a pref (it's not enabled yet).
Attachment #8432348 - Flags: review?(sstamm) → review+
Looked at all the CSP code we landed. cspUtils and cspContext are fine. The proposed patch (dis)covers all the problems where that problem occurs.
https://hg.mozilla.org/mozilla-central/rev/04dd691d5f59
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Marking qe-verify- due to lack of test case or STR. Please feel free to provide if you'd like this bug to be verified. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.