Closed Bug 1772171 Opened 2 years ago Closed 2 years ago

Move ToDouble back to nsTString

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox101 --- unaffected
firefox102 + fixed
firefox103 + fixed

People

(Reporter: nika, Assigned: nika)

References

(Regression)

Details

(Keywords: regression, sec-other)

Attachments

(1 file)

Bug 1772171 - Move ToDouble back to nsTString, r=#xpcom-reviewers
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

In bug 1768418, we move ToDouble to nsTStringRepr, however I missed in review that it uses PR_strtod which doesn't take a string length and could overrun when used on a non-null-terminated string.

We should move the method back to nsTString to avoid this issue for now. I have some local changes which could allow it to be implemented on nsTStringRepr again, but they're significant enough that we probably can't safely uplift.

Group: core-security → dom-core-security

This is probably not an active security issue, as there appear to be no new callers introduced since bug 1768418 which call the method on a substring (the build completed successfully with no changes to code outside of nsstring after moving it back). We should probably uplift the fix though to protect future uplifts.

Comment on attachment 9279143 [details]
Bug 1772171 - Move ToDouble back to nsTString, r=#xpcom-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Future uplifts may introduce a sec issue if they call ToDouble on a non-nsCString string.
    There should be no impact on existing code.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small change to revert an API change. Should have no actual behaviour change and is just for guarding against regressions caused by future uplifts.
  • String changes made/needed: None
  • Is Android affected?: Yes
Attachment #9279143 - Flags: approval-mozilla-beta?

Move ToDouble back to nsTString, r=xpcom-reviewers,mccr8
https://hg.mozilla.org/integration/autoland/rev/0ca2d284919ed425bedc5ccd760e6d635e470a7f
https://hg.mozilla.org/mozilla-central/rev/0ca2d284919e

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
Has Regression Range: --- → yes

Comment on attachment 9279143 [details]
Bug 1772171 - Move ToDouble back to nsTString, r=#xpcom-reviewers

Approved for 102 beta 5, thanks.

Attachment #9279143 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: