Closed Bug 279979 Opened 20 years ago Closed 19 years ago

Possible buffer overrun in nsFontMetricsPh::Init

Categories

(Core Graveyard :: GFX, defect)

Product:
Core Graveyard
Component:
GFX
Platform:
Other
Neutrino
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sicking, Assigned: amardare)

References

(
URL
)

Details

(Whiteboard: [sg:low] photon only) 

The sprintf into prop[256] in nsFontMetricsPh::Init seems like it could overrun
the size of the buffer. I'd suggest using a safer printf function from NSPR, or
using simple string join-operators.
Or failing that, max-width specifiers in the format string.
Flags: blocking-aviary1.1?
Whiteboard: [sg:fix]
OS: other → Neutrino
FYI Adrian is the guy you want - I have no involvement in Mozilla development. 
Reassigning.
Assignee: cwiebe → amardare
Why does this have [sg:fix]?
transferring nomination to 1.8b4. If we don't get it there, we don't get it for 1.1
Flags: blocking-aviary1.1? → blocking1.8b4?
Flags: blocking1.8b4? → blocking1.8b4-
Is anyone ever going to fix this one? Maybe we should remove the group set so someone who cares about Photon can see it.

[sg:low] on the assumption that the strings involved come from installed fonts. If they're taken directly from a web page's styles without vetting against the installed list then this would be sg:critical.

Simple fix, either format width specifiers, snprintf, or the PR_ equivalent. Someone who can compile on photon would have to review/test. Or we could simply WONTFIX the bug for lack of interest.
Whiteboard: [sg:fix] → [sg:low] photon only
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reopening, this bug has not been fixed. If the bug is invalid in that it's not exploitable please mark it INVALID
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
wha! sorry, my bad.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
(In reply to comment #7)
> wha! sorry, my bad. 
> 

did you mean to mark it fixed again?
 char *prop = PR_smprintf( "font.name.%s.%s", str, cstring ); 
is still there.
I didn't actually check that the new code was safe, i just put the bug back to the state it was in. Not sure if PR_smprintf is safe or not.

Adrian: please attach a patch to the bug when you fix it. This is why I didn't think the bug was fixed at first, because there was no activity in the bug. This is especially important for security patches.
Group: security
PR_smprintf() mallocs sufficient space, it's fine. The original code used a plain sprintf() into a fixed-size buffer.
Flags: wanted1.8.1.x+
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.