Closed Bug 20393 Opened 20 years ago Closed 20 years ago

PR_NewPollableEvent may dereference invalid/NULL pointers.

Categories

(NSPR :: NSPR, defect, P3)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

PR_NewPollableEvent assumes that if PR_CreatePipe or
PR_NewTCPSocketPair fails, it won't change its argument
(the 'fd' array).  This assumption is not true for
the current implementation of PR_NewTCPSocketPair.
That is, if PR_NewTCPSocketPair fails, it is possible
that fd[0] gets set to a non-NULL value.  So the following
may happen:
    fd[0] = fd[1] = NULL;
    PR_NewTCPSocketPair fails;
    fd[0] is set to some non-NULL value; fd[1] is unchanged (NULL).

Since fd[0] is not NULL, we call
    PR_Close(fd[0]);
    PR_Close(fd[1]);
The first PR_Close call dereferences an invalid pointer and
the second PR_Close call dereferences a NULL pointer.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I checked in a fix to set both fd[0] and fd[1] to NULL
if PR_CreatePipe or PR_NewTCPSocketPair fails.
/cvsroot/mozilla/nsprpub/pr/src/io/prpolevt.c, revision 3.6

This fix is also checked into the internal repository.
/m/src/ns/nspr20/pr/src/io/prpolevt.c, revision 2.10
You need to log in before you can comment on or make changes to this bug.