Closed Bug 1727375 Opened 4 years ago Closed 4 years ago

Null pointer dereference has been found in nsprpub/pr/src/pthreads/ptthread.c

Categories

(NSPR :: NSPR, defect)

Product:
NSPR
Component:
NSPR
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: zyscoder, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Steps to reproduce:

In the function _PR_CreateThread at nsprpub/pr/src/pthreads/ptthread.c,

at line 383 a variable "id" has been allocated:
pthread_t id;

and the "id" variable has been dereferenced at line 458:
rv = _PT_PTHREAD_CREATE(&id, tattr, _pt_root, thred);

but no initialization has been done for the "id" variable before this use.

Actual results:

A null pointer dereference occurs.

Expected results:

assign "thred->id" to the "id" variable for initialization:

pthread_t id = thred->id;
Group: firefox-core-security → core-security
Component: Untriaged → NSPR
Product: Firefox → NSPR
Version: Firefox 91 → other

_PT_PTHREAD_CREATE() is the thing that initializes id, which is why it's passed by reference instead of by value. At least, it's initialized if it returns success. If someone uses the value without checking rv then that could lead to trouble.

Probably better to file a different bug on the null pointer deref with the actual stack and such you're seeing.

Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.