Closed
Bug 1176041
Opened 10 years ago
Closed 9 days ago
OlsonTimeZone::operator= uses object after delete on self-assignment
Categories
(Core :: JavaScript: Internationalization API, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: q1, Unassigned)
References
Details
(Keywords: reporter-external, sec-other, Whiteboard: upstream bug, no self-assignment locally)
OlsonTimeZone::operator= (38.0.1\intl\icu\source\i18n\olsontz.cpp) uses an object after deleting it on self-assignment:
274: OlsonTimeZone& OlsonTimeZone::operator=(const OlsonTimeZone& other) {
275: canonicalID = other.canonicalID;
... // no check for self-assignment
289: delete finalZone;
290: finalZone = (other.finalZone != 0) ?
291: (SimpleTimeZone*) other.finalZone->clone() : 0;
...
296: clearTransitionRules();
finalZone isa SimpleTimeZone *; SimpleTimeZone contains various pointers that will become wild after line 291 executes (38.0.1\intl\icu\source\i18n\unicode\simpletz.h):
61: class U_I18N_API SimpleTimeZone: public BasicTimeZone {
...
878: InitialTimeZoneRule* initialRule;
879: TimeZoneTransition* firstTransition;
880: AnnualTimeZoneRule* stdRule;
881: AnnualTimeZoneRule* dstRule;
Also, line 296 improperly initializes portions of the object, which is a correctness bug.
Comment 1•10 years ago
|
||
Another ICU bug? Is this filed with ICU yet?
Component: Untriaged → JavaScript: Internationalization API
Flags: needinfo?(q1)
Product: Firefox → Core
Updated•10 years ago
|
Flags: sec-bounty?
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1)
> Another ICU bug? Is this filed with ICU yet?
Now it is: https://bugs.icu-project.org/trac/ticket/11748 . The bug still exists in the latest (trunk) version of the code.
Flags: needinfo?(q1)
Updated•10 years ago
|
Flags: needinfo?(jwalden+bmo)
Comment 3•10 years ago
|
||
Same consideration about operator= only being used in a copy constructor, so still okay:
https://dxr.mozilla.org/mozilla-central/search?q=%2Bcallers%3A%22icu_52%3A%3AOlsonTimeZone%3A%3Aoperator%3D%28const+class+icu_52%3A%3AOlsonTimeZone+%26%29%22
Flags: needinfo?(jwalden+bmo)
Updated•10 years ago
|
Group: core-security
Updated•10 years ago
|
Group: core-security
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
Keywords: sec-other
Whiteboard: upstream bug, no self-assignment locally
Updated•9 years ago
|
Group: core-security → javascript-core-security
Updated•2 years ago
|
Severity: normal → S3
Updated•9 months ago
|
Keywords: reporter-external
Comment 4•9 days ago
|
||
I think this is actually fixed as there's a check for self-assignment now. https://searchfox.org/mozilla-central/source/intl/icu/source/i18n/olsontz.cpp#277
Status: NEW → RESOLVED
Closed: 9 days ago
Resolution: --- → FIXED
Comment 5•9 days ago
|
||
An upstream fix appears to have landed as part of the library update in bug 1714933
Group: javascript-core-security
Depends on: 1714933
You need to log in
before you can comment on or make changes to this bug.
Description
•