Closed Bug 1143130 Opened 9 years ago Closed 9 years ago

nsTextFrame::GetCharacterOffsetAtFrame returns uninitialized nsIFrame::ContentOffsets

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla40

Tracking Flags:

Tracking

Status

firefox39

---

wontfix

firefox40

---

fixed

firefox-esr38

---

wontfix

b2g-master

---

fixed

People

(Reporter: erahm, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, csectype-uninitialized, sec-other, Whiteboard: [CID 1285939][post-critsmash-triage][adv-main40+])

Attachments

(1 file)

fix 9 years ago Mats Palmgren (inactive) 2.81 KB, patch	roc : review+	Details \| Diff \| Splinter Review

Eric Rahm [:erahm]

Reporter

Description

•

9 years ago

Coverity indicates that |nsTextFrame::GetCharacterOffsetAtFrame| returns an instance of |nsIFrame::ContentOffsets| with unitialized members [1] (offset, secondaryOffset, associate).

This is a non-issue if every usage checks |ContentOffsets::content| prior to using other values. I'm not sure if that's the case.

Flagging as sec as it's not clear to me where/how these uninitialized values are used.

[1] https://hg.mozilla.org/mozilla-central/annotate/11506aaf7064/layout/generic/nsTextFrame.cpp#l6492

Andrew McCreight [:mccr8]

Comment 1

•

9 years ago

Mats, is this something you could look into?  Thanks.

Flags: needinfo?(mats)

Keywords: csectype-uninitialized

Mats Palmgren (inactive)

Assignee

Comment 2

•

9 years ago

Attached patch fix — Details — Splinter Review

Initialize the members in the default ctor.
Remove the copy ctor and dtor since they are the same as the default.

I checked consumers and they all null-check .content before using
the other fields, or they where invoked on frames guaranteed
not to be text frames so are not affected by the indicated line.
So there's no security issue here afaict.

Assignee: nobody → mats

Flags: needinfo?(mats)

Attachment #8589693 - Flags: review?(roc)

Mats Palmgren (inactive)

Assignee

Updated

•

9 years ago

Keywords: sec-other

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

9 years ago

Attachment #8589693 - Flags: review?(roc) → review+

Mats Palmgren (inactive)

Assignee

Comment 3

•

9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/cbff0d351f74

Flags: in-testsuite-

Ryan VanderMeulen [:RyanVM][PTO June 24-28]

Comment 4

•

9 years ago

https://hg.mozilla.org/mozilla-central/rev/cbff0d351f74

Status: NEW → RESOLVED

Closed: 9 years ago

status-firefox40: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla40

Ryan VanderMeulen [:RyanVM][PTO June 24-28]

Updated

•

9 years ago

status-b2g-master: --- → fixed

status-firefox39: --- → wontfix

status-firefox-esr38: --- → wontfix

Matt Wobensmith [:mwobensmith][:matt:]

Updated

•

9 years ago

Whiteboard: [CID 1285939] → [CID 1285939][post-critsmash-triage]

Al Billings [:abillings - ex-MoCo]

Updated

•

9 years ago

Whiteboard: [CID 1285939][post-critsmash-triage] → [CID 1285939][post-critsmash-triage][adv-main40+]

BMO Automation

Updated

•

9 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Group: core-security-release

Sylvestre Ledru [:Sylvestre]

Updated

•

6 years ago

Blocks: coverity-analysis

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

nsTextFrame::GetCharacterOffsetAtFrame returns uninitialized nsIFrame::ContentOffsets

Categories

(Core :: Layout, defect)

Tracking

()

People

(Reporter: erahm, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, csectype-uninitialized, sec-other, Whiteboard: [CID 1285939][post-critsmash-triage][adv-main40+])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Updated

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type