Open Bug 1498078 Opened 6 years ago Updated 2 years ago

AutoMemMap::get computes incorrect pointer bounds

Tracking

()

Status:

NEW

People

(Reporter: jld, Unassigned)

References

Details

Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧

Reporter

Description

•

6 years ago

AutoMemMap::get passes the memory size as the aLength parameter to the RangedPtr constructor, but that's a number of elements, not a number of bytes.  Currently this isn't a problem, because all extent instances either use a size-1 type or immediately access only the 0th element, but in general this can make the bounds checks too weak.

I also noticed that the const version of the method has a type that doesn't make much sense: it looks like the intent was to return RangedPtr<const T>, not to make the RangedPtr itself const, which doesn't really do anything.

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Priority: -- → P3

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

AutoMemMap::get computes incorrect pointer bounds

Categories

(Core :: XPConnect, enhancement, P3)

Tracking

()

People

(Reporter: jld, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated