Closed Bug 20393 Opened 20 years ago Closed 20 years ago
_New Pollable Event may dereference invalid/NULL pointers .
PR_NewPollableEvent assumes that if PR_CreatePipe or PR_NewTCPSocketPair fails, it won't change its argument (the 'fd' array). This assumption is not true for the current implementation of PR_NewTCPSocketPair. That is, if PR_NewTCPSocketPair fails, it is possible that fd gets set to a non-NULL value. So the following may happen: fd = fd = NULL; PR_NewTCPSocketPair fails; fd is set to some non-NULL value; fd is unchanged (NULL). Since fd is not NULL, we call PR_Close(fd); PR_Close(fd); The first PR_Close call dereferences an invalid pointer and the second PR_Close call dereferences a NULL pointer.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I checked in a fix to set both fd and fd to NULL if PR_CreatePipe or PR_NewTCPSocketPair fails. /cvsroot/mozilla/nsprpub/pr/src/io/prpolevt.c, revision 3.6 This fix is also checked into the internal repository. /m/src/ns/nspr20/pr/src/io/prpolevt.c, revision 2.10
You need to log in before you can comment on or make changes to this bug.