Closed Bug 1167461 Opened 9 years ago Closed 9 years ago

Probable dereferencing of past-the-end iterator in ComputeSizeAndRVA

Categories

(Toolkit :: Crash Reporting, defect)

38 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: q1, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0 Build ID: 20150305021524 Steps to reproduce: ComputeSizeAndRVA in toolkit\crashreporter\google-breakpad\src\common\solaris\dump_symbols.cc line 366 dereferences a std::map::const_iterator that might == ::end() (the C++ specification calls this a "past-the-end" iterator). If the iterator does ever == ::end(), this usage is incorrect. It also presumably invokes undefined behavior under the C++ specification; see ISO/IEC 14882:1998(E) at s.24.1(5) (which, alas, is not a model of clarity). This bug could thus represent a security risk. 365: SymbolMap::const_iterator it = symbol_entries->find(func_name.c_str()); 366: if (it->second) {...
Oops, that should be "366 et seq".
Not a security bug: this code is used to process symbols as part of the build system and is never exposed to user data. Also this is Solaris-specific code in the google-breakpad project and should be filed there.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → Breakpad Integration
Product: Firefox → Toolkit
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.