Open Bug 264999 Opened 17 years ago Updated 1 year ago

atoms do not handle embedded NUL characters

Categories

(Core :: XPCOM, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

REOPENED

People

(Reporter: mrbkap, Unassigned)

References

Details

While debugging bug 264956, bz and I found that atoms do not handle embedded NUL
characters. This was an issue because we were given "input\0AAA" so the parser
was creating a userdefined node, but when we later created an atom out of it, it
came back as "input", so we ended up trying to QI as an input element and crashing.

The fix to bug 264956 prevents this now, but as NULs can also come through
attributes, and these also get turned into atoms, this is still a problem.
To be precise, our mutation event code atomizes attribute _values_.  Which can
well contain nulls.
xul elements atomizes all attribute values smaller then a certain size. All
other elements should as well, though I don't think I actually flicked the
switch on that.
I don't believe null characters are ever valid characters in XML data, but maybe
they can in HTML... But I don't think there's anything preventing them from
coming in through the DOM...
FYI, I fixed Atom and friends to handle NUL in bug 228856 (Patch2).
Depends on: CVE-2008-5510
Assignee: dougt → nobody
QA Contact: xpcom
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2008-5510
The patch that Mats wrote, fixing Atom, was never applied (as far as I know).  We went with a different, narrower fix in the CSS parser for bug 228856.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
You need to log in before you can comment on or make changes to this bug.