Closed
Bug 1019935
Opened 10 years ago
Closed 3 years ago
Buffer overflow in uprv_tzname
Categories
(Core :: JavaScript: Internationalization API, defect)
Core
JavaScript: Internationalization API
Tracking
()
RESOLVED
FIXED
People
(Reporter: mccr8, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, csectype-bounds, sec-low)
The method uprv_tzname in intl/icu/source/common/putil.cpp can write a zero to one byte past the end of the buffer: int32_t ret = (int32_t)readlink(TZDEFAULT, gTimeZoneBuffer, sizeof(gTimeZoneBuffer)); if (0 < ret) { int32_t tzZoneInfoLen = uprv_strlen(TZZONEINFO); gTimeZoneBuffer[ret] = 0; readlink() will read up to the size passed in as the third argument. If it ends up actually filling the entire buffer, then the attempt to null-terminate the buffer writes off the end. I think the fix is just to pass in sizeof(gTimeZoneBuffer) - 1 instead. I doubt this is too much of a problem in practice, but I'm filing it s-s just in case.
Updated•9 years ago
|
Group: core-security → javascript-core-security
Updated•6 years ago
|
Blocks: coverity-analysis
Comment 1•3 years ago
|
||
Fixed by Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1299615 (ICU 58)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•