Closed Bug 1739219 Opened 3 years ago Closed 2 years ago

SetLength() and GetMutableData() are dangerous APIs

Tracking

()

Status:

RESOLVED FIXED

Milestone:

97 Branch

Tracking Flags:

Tracking

Status

firefox-esr91

97+

fixed

firefox95

---

wontfix

firefox96

---

wontfix

firefox97

fixed

People

(Reporter: mccr8, Assigned: nika)

References

Details

(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main97-][adv-esr91.6-])

Andrew McCreight [:mccr8]

Reporter

Description

•

3 years ago

As seen in bug 1738237, nsTSubstring<T>::SetLength() takes an nsTSubString::size_type argument. Unfortunately this means that if you pass in a 64-bit value it will be implicitly coerced into a 32-bit value, which can overflow. It would be nice if we were more resistant to this kind of issue.

One approach would be to have a (non-nsTSubString) size_t overload that does the CheckedInt conversion. Or maybe we need bounds checking on whatever does a read or write after the SetLength()?

Andrew McCreight [:mccr8]

Reporter

Updated

•

3 years ago

Summary: SetLength() is dangerous API → SetLength() is a dangerous API

Andrew McCreight [:mccr8]

Reporter

Updated

•

3 years ago

Updated

•

3 years ago

Depends on: 1741201

Christian Holler (:decoder)

Updated

•

3 years ago

Depends on: 1741210

Andrew McCreight [:mccr8]

Reporter

Comment 1

•

3 years ago

Decoder mentioned GetMutableData() as another thing that deals with lengths.

Summary: SetLength() is a dangerous API → SetLength() and GetMutableData() are dangerous APIs

Andrew McCreight [:mccr8]

Reporter

Comment 2

•

3 years ago

Nika is working on some kind of big fix here, so I'll assign this to her for now.

Assignee: nobody → nika

Andrew McCreight [:mccr8]

Reporter

Updated

•

2 years ago

Depends on: 1741665

Andrew McCreight [:mccr8]

Reporter

Updated

•

2 years ago

Status: NEW → RESOLVED

Closed: 2 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

Group: dom-core-security → core-security-release

status-firefox95: --- → wontfix

status-firefox96: --- → affected

status-firefox97: --- → fixed

status-firefox-esr91: --- → affected

Target Milestone: --- → 97 Branch

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

status-firefox96: affected → wontfix

Brindusa Tot, Desktop QA

Updated

•

2 years ago

Flags: qe-verify-

Whiteboard: [post-critsmash-triage]

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

tracking-firefox97: --- → +

tracking-firefox-esr91: --- → 97+

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

status-firefox-esr91: affected → fixed

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

2 years ago

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main97-]

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

2 years ago

Whiteboard: [post-critsmash-triage][adv-main97-] → [post-critsmash-triage][adv-main97-][adv-esr91.6-]

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

SetLength() and GetMutableData() are dangerous APIs

Categories

(Core :: XPCOM, enhancement)

Tracking

()

People

(Reporter: mccr8, Assigned: nika)

References

Details

(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main97-][adv-esr91.6-])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated

Comment 1

Comment 2

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Updated