Closed
Bug 20031
Opened 25 years ago
Closed 25 years ago
Buffer overflow in long chrome: and file: URLs
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
(Whiteboard: have fix)
There is a buffer overflow in long chrome: and file: URLs in Mozilla 5.0. As far as I could debug it is not exploitable, but it may turn out to be. Anyway it is unpleasant denial of service attack. The problems are URLs like: chrome://{about 500 'A'}
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: have fix
Assignee | ||
Comment 1•25 years ago
|
||
According to http://msdn.microsoft.com/library/devprods/vs6/visualc/vccore/_crt__fullpath.2c_ ._wfullpath.htm, _fullpath can return null. Here's a simple patch: Index: nsFileSpecWin.cpp =================================================================== RCS file: /m/pub/mozilla/xpcom/io/nsFileSpecWin.cpp,v retrieving revision 1.45 diff -C3 -r1.45 nsFileSpecWin.cpp *** nsFileSpecWin.cpp 1999/12/08 02:53:37 1.45 --- nsFileSpecWin.cpp 1999/12/13 19:03:42 *************** *** 73,80 **** *buffer = '\0'; char* canonicalPath = _fullpath(buffer, ioPath, _MAX_PATH); ! NS_ASSERTION( canonicalPath[0] != '\0', "Uh oh...couldn't convert" ); ! if (canonicalPath[0] == '\0') return; ioPath = canonicalPath; --- 73,80 ---- *buffer = '\0'; char* canonicalPath = _fullpath(buffer, ioPath, _MAX_PATH); ! NS_ASSERTION( canonicalPath && canonicalPath[0] != '\0', "Uh oh...couldn't convert" ); ! if (!canonicalPath || canonicalPath[0] == '\0') return; ioPath = canonicalPath;
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•