Closed Bug 139956 Opened 22 years ago Closed 22 years ago

Buffer overflow in plugin Post URL's (plus Fix)

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: shilad, Assigned: srgchrpv)

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417
BuildID:    2002041717

Bug in ParsePostBufferToFixHeaders results in a buffer overflow.

Reproducible: Always
Steps to Reproduce:
1.Call NPN_PostURL with data with a leading "\n"
2.HTTP Server gets send invalid content
3.

Actual Results:  POST Message + additional garbage received by server

Expected Results:  POST Message received by server

I've included a single line fix:

nsPluginHostImpl.cpp, line 6331; add the following:

6327       nsMemory::Free(p);
6328       *outPostData = 0;
6329       return NS_ERROR_FAILURE;
6330     }
6331     p += headersLen;
6332     newBufferLen = headersLen + dataLen; /* new line shilad */
6333   }
-->over to serge (maybe can add to one of the patches in progress)
Assignee: beppe → serge
Status: UNCONFIRMED → NEW
Ever confirmed: true
good finding, thanks Shilad.
your patch is in by check in for bug 130080.
resoled as fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.