Closed Bug 1176041 Opened 10 years ago Closed 9 days ago

OlsonTimeZone::operator= uses object after delete on self-assignment

Categories

(Core :: JavaScript: Internationalization API, defect)

38 Branch
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: q1, Unassigned)

References

Details

(Keywords: reporter-external, sec-other, Whiteboard: upstream bug, no self-assignment locally)

OlsonTimeZone::operator= (38.0.1\intl\icu\source\i18n\olsontz.cpp) uses an object after deleting it on self-assignment: 274: OlsonTimeZone& OlsonTimeZone::operator=(const OlsonTimeZone& other) { 275: canonicalID = other.canonicalID; ... // no check for self-assignment 289: delete finalZone; 290: finalZone = (other.finalZone != 0) ? 291: (SimpleTimeZone*) other.finalZone->clone() : 0; ... 296: clearTransitionRules(); finalZone isa SimpleTimeZone *; SimpleTimeZone contains various pointers that will become wild after line 291 executes (38.0.1\intl\icu\source\i18n\unicode\simpletz.h): 61: class U_I18N_API SimpleTimeZone: public BasicTimeZone { ... 878: InitialTimeZoneRule* initialRule; 879: TimeZoneTransition* firstTransition; 880: AnnualTimeZoneRule* stdRule; 881: AnnualTimeZoneRule* dstRule; Also, line 296 improperly initializes portions of the object, which is a correctness bug.
Another ICU bug? Is this filed with ICU yet?
Component: Untriaged → JavaScript: Internationalization API
Flags: needinfo?(q1)
Product: Firefox → Core
Flags: sec-bounty?
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > Another ICU bug? Is this filed with ICU yet? Now it is: https://bugs.icu-project.org/trac/ticket/11748 . The bug still exists in the latest (trunk) version of the code.
Flags: needinfo?(q1)
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(jwalden+bmo)
Group: core-security
Group: core-security
Flags: sec-bounty? → sec-bounty-
Keywords: sec-other
Whiteboard: upstream bug, no self-assignment locally
Group: core-security → javascript-core-security
Severity: normal → S3

I think this is actually fixed as there's a check for self-assignment now. https://searchfox.org/mozilla-central/source/intl/icu/source/i18n/olsontz.cpp#277

Status: NEW → RESOLVED
Closed: 9 days ago
Resolution: --- → FIXED

An upstream fix appears to have landed as part of the library update in bug 1714933

Group: javascript-core-security
Depends on: 1714933
You need to log in before you can comment on or make changes to this bug.