Open Bug 1216830 Opened 6 years ago Updated 3 years ago

Possible OOB read in |nsCSPContext::GetAllowsInline| when logging is enabled


(Core :: DOM: Security, defect, P3)




Tracking Status
firefox44 --- affected


(Reporter: erahm, Unassigned)


(Blocks 2 open bugs)


(Keywords: coverity, Whiteboard: [CID 1324688], [domsecurity-backlog2])

Coverity indicates that |nsCSPContext::GetAllowsInline| can trigger an OOB read [1] in |nsCSPPolicy::allows| [2] when logging by calling |CSP_EnumToKeyword| [3] with the type |CSP_HASH|.

Details are provided about CSP_HASH being treated differently [4], and we can see where this has [5] and has not [6,7,8,9,10] been worked around previously.

As this is only exposed when the CSP logger is enabled, this should have minimal impact on end users.

Thanks Eric, we should look into that and bail out early (not just using the static assert) in those cases.
Whiteboard: [CID 1324688] → [CID 1324688], [domsecurity-backlog]
Priority: -- → P2
Priority: P2 → P3
Whiteboard: [CID 1324688], [domsecurity-backlog] → [CID 1324688], [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.