Closed
Bug 1380078
Opened 7 years ago
Closed 7 years ago
Truncation in CFStringRefToUTF8Buffer()
Categories
(Core Graveyard :: Plug-ins, enhancement, P3)
Tracking
(firefox57 fixed)
RESOLVED
FIXED
mozilla57
Tracking | Status | |
---|---|---|
firefox57 | --- | fixed |
People
(Reporter: q1, Assigned: max, Mentored)
Details
(Keywords: good-first-bug, Whiteboard: [good first bug][lang=c++])
Attachments
(1 file)
CFStringRefToUTF8Buffer() (dom\plugins\base\nsPluginsDirDarwin.cpp) truncates the result of CFStringGetMaximumSizeForEncoding() from a |CFIndex| to an |int| on 64-bit platforms. (See https://developer.apple.com/documentation/corefoundation/1542143-cfstringgetmaximumsizeforencodin ; https://developer.apple.com/documentation/corefoundation/cfindex ; https://developer.apple.com/documentation/swift/int ; https://developer.apple.com/library/content/documentation/Darwin/Conceptual/64bitPorting/MakingCode64-BitClean/MakingCode64-BitClean.html ). The bug (line 104) does not look exploitable because the potentially-truncated buffer size |bufferLength| is used as the maximum buffer size on line 112. Still, it should be fixed. 97: static char* CFStringRefToUTF8Buffer(CFStringRef cfString) 98: { 99: const char* buffer = ::CFStringGetCStringPtr(cfString, kCFStringEncodingUTF8); 100: if (buffer) { 101: return PL_strdup(buffer); 102: } 103: 104: int bufferLength = 105: ::CFStringGetMaximumSizeForEncoding(::CFStringGetLength(cfString), 106: kCFStringEncodingUTF8) + 1; 107: char* newBuffer = static_cast<char*>(moz_xmalloc(bufferLength)); 108: if (!newBuffer) { 109: return nullptr; 110: } 111: 112: if (!::CFStringGetCString(cfString, newBuffer, bufferLength, 113: kCFStringEncodingUTF8)) { 114: free(newBuffer); 115: return nullptr; 116: } 117: 118: newBuffer = static_cast<char*>(moz_xrealloc(newBuffer, 119: strlen(newBuffer) + 1)); 120: return newBuffer; 121: }
Updated•7 years ago
|
Group: core-security
Priority: -- → P3
Updated•7 years ago
|
Flags: needinfo?(spohl.mozilla.bugs)
Comment 1•7 years ago
|
||
This is a good first bug and I'm happy to mentor someone through it, if necessary. We should also remove the null check for the infallible allocation. The steps to fix this bug are: 1. Change the type of bufferLength from int to int64_t[1]. 2. Remove the null check after the infallible allocation[2][3]. [1] https://dxr.mozilla.org/mozilla-central/rev/b95b1638db48fc3d450b95b98da6bcd2f9326d2f/dom/plugins/base/nsPluginsDirDarwin.cpp#104 [2] https://dxr.mozilla.org/mozilla-central/rev/b95b1638db48fc3d450b95b98da6bcd2f9326d2f/dom/plugins/base/nsPluginsDirDarwin.cpp#108-110 [3] https://developer.mozilla.org/en-US/docs/Infallible_memory_allocation
Mentor: spohl.mozilla.bugs
Flags: needinfo?(spohl.mozilla.bugs)
Keywords: good-first-bug
Whiteboard: [good first bug][lang=c++]
Assignee | ||
Comment 2•7 years ago
|
||
I'm new to the Mozilla project, and I'd like to have a look at this. Looks like I should be able to get started.
Assignee | ||
Comment 3•7 years ago
|
||
I may have made a mistake. I hadn't realised this was an OSX bug and I'm not on OSX. I wrote the patch anyway and I've submitted it for review on Mozreview, but let me know if this means I shouldn't be working on this.
Comment hidden (mozreview-request) |
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8898119 [details] Bug 1380078: Fix truncation of buffer size in CFStringRefToUTF8Buffer(); https://reviewboard.mozilla.org/r/169454/#review175030 This patch and commit message are perfect! Thank you!
Attachment #8898119 -
Flags: review?(spohl.mozilla.bugs) → review+
Comment 6•7 years ago
|
||
(In reply to Maximilian Hunt from comment #3) > I may have made a mistake. I hadn't realised this was an OSX bug and I'm not > on OSX. > > I wrote the patch anyway and I've submitted it for review on Mozreview, but > let me know if this means I shouldn't be working on this. You are welcome to fix bugs on platforms that aren't the same as your development environment. You may find it easier to fix bugs on the same platform, especially if they require local debugging and/or testing. But straightforward patches like the one in this bug can absolutely be written on other platforms.
Assignee: nobody → max
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•7 years ago
|
||
Thanks Stephen. What else do I need to do to get the patch tested and pulled?
Comment 8•7 years ago
|
||
mozilla-inbound is currently closed. Your patch will land automatically as soon as it reopens, which could be any time now.
Pushed by spohl@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/33a96b254013 Fix truncation of buffer size in CFStringRefToUTF8Buffer(); r=spohl
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/33a96b254013
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•