Closed
Bug 278842
Opened 20 years ago
Closed 20 years ago
Potential out of bounds array access in netwerk/mime/src/nsMIMEHeaderParamImpl.cpp
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
VERIFIED
INVALID
People
(Reporter: martin.gerbershagen, Assigned: darin.moz)
Details
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041129 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041129 I found several pieces of the following code // Skip over whitespace, '=', and whitespace while (nsCRT::IsAsciiSpace(*str)) ++str; if (*str == '=') ++str; while (nsCRT::IsAsciiSpace(*str)) ++str; in the function nsMIMEHeaderParamImpl::GetParameterInternal. In the while condition a check for the terminating 0 byte of the string is missing. Also the 0 byte is not checked on nsCRT::IsAsciiSpace. If the input string contains only spaces until its end, the while loop can access memory beyond the input string. This usually crashes the application or can result in copying the contents of arbitrary memory to the result string and create a potential (maybe minor) security problem. Reproducible: Always Steps to Reproduce: Expected Results: while (*str && nsCRT::IsAsciiSpace(*str)) ++str; if (*str == '=') ++str; while (*str && nsCRT::IsAsciiSpace(*str)) ++str; if (!*str) return ...
Reporter | ||
Comment 1•20 years ago
|
||
The checks for *str can be omitted in the suggested correction: while (nsCRT::IsAsciiSpace(*str)) ++str; if (*str == '=') ++str; while (&& nsCRT::IsAsciiSpace(*str)) ++str; if (!*str) return ...
Comment 2•20 years ago
|
||
I don't see the problem. IsAsciiSpace returns PR_FALSE for 0.
Assignee: general → darin
Component: General → Networking
Product: Mozilla Application Suite → Core
QA Contact: general → benc
Version: unspecified → Trunk
Reporter | ||
Comment 3•20 years ago
|
||
The problem is in the else block in line 230 (marked with ->): // Skip over whitespace, '=', and whitespace while (nsCRT::IsAsciiSpace(*str)) ++str; if (*str == '=') ++str; while (nsCRT::IsAsciiSpace(*str)) ++str; if (*str != '"') { // The value is a token, not a quoted string. valueStart = str; for (valueEnd = str; *valueEnd && !nsCRT::IsAsciiSpace (*valueEnd) && *valueEnd != ';'; valueEnd++) ; str = valueEnd; } else { // The value is a quoted string. -> ++str; valueStart = str; for (valueEnd = str; *valueEnd; ++valueEnd) { if (*valueEnd == '\\') ++valueEnd; else if (*valueEnd == '"') break; } str = valueEnd + 1; } If while (nsCRT::IsAsc...) terminates at the 0 byte, str is incremented and the processing continues beyond the end of the string in the else block.
Reporter | ||
Comment 4•20 years ago
|
||
I checked it again. Please forget this report. I was wrong.
Comment 5•20 years ago
|
||
invalid per reporter.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•