Closed
Bug 283089
Opened 19 years ago
Closed 18 years ago
Buffer overrun in extensions/transformiix/source/xslt/txXSLTNumberCounters.cpp
Categories
(Core :: XSLT, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: David.R.Gardiner, Assigned: sicking)
References
Details
Attachments
(1 file, 1 obsolete file)
|
1.07 KB,
patch
|
axel
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Running PREfast static code analysis gives the following warning: txxsltnumbercounters.cpp(200) : warning 201: Buffer overrun for stack buffer 'buf': index 11 exceeds maximum valid index 10. problem occurs in function 'txAlphaCounter::appendNumber' If you create an array [11] i think that means the last element is [10]. -dave Reproducible: Always Steps to Reproduce:
|
Assignee | |
Comment 2•19 years ago
|
||
No need to nullterminate, we pass a length to append
Attachment #175085 -
Flags: superreview?(peterv)
Attachment #175085 -
Flags: review?(peterv)
|
||
Comment 3•19 years ago
|
||
I wouldn't like this codepath with aNumber==0. That'd call aDest.Append(buf + 11, 0) which isn't catching the 0 length before accessing the char*.
|
|
Assignee | |
Comment 4•19 years ago
|
||
First off this code should never be called with aNumber < 1. Also, I just looked briefly, but it seemed like .Append was even able to handle a null-data being passed, or does it have specialcased code for that?
|
|
Assignee | |
Comment 5•19 years ago
|
||
I stepped through the code and it didn't seem to access the data if length was 0
|
||
Comment 6•19 years ago
|
||
Comment on attachment 175085 [details] [diff] [review] patch to fix Although I find it a bit worrying too that we'd be able to call Append with |buf + 11|.
Attachment #175085 -
Flags: superreview?(peterv)
Attachment #175085 -
Flags: superreview+
Attachment #175085 -
Flags: review?(peterv)
Attachment #175085 -
Flags: review+
|
|
Assignee | |
Comment 7•19 years ago
|
||
You're all wossies ;) Ok, to this one keeps an extra unused position at the end of the buffer in case we append an empty buffer or .Append accesses data past the end of the buffer. I reduced the size of the buffer since an 'alpha-number' is maximum 7 chars even for unsigned 32bit numbers.
Attachment #175085 -
Attachment is obsolete: true
Attachment #175289 -
Flags: superreview?(peterv)
Attachment #175289 -
Flags: review?(peterv)
|
|
||
Updated•19 years ago
|
Attachment #175289 -
Flags: review?(peterv) → review+
|
|
||
Comment 8•19 years ago
|
||
Comment on attachment 175289 [details] [diff] [review] another patch Actually, I'd be fine with buf[7] :-/.
Attachment #175289 -
Flags: superreview?(peterv) → superreview+
|
|
||
Comment 9•19 years ago
|
||
this will have a merge conflict from bug 287290, which just contains wallpaper. I still think we should land this patch as clean up sugar.
|
|
Assignee | |
Comment 10•19 years ago
|
||
ugh, dbaron beat me to it. I'll check this in once the tree reopens though.
|
|
Assignee | |
Comment 11•18 years ago
|
||
Solving this as worksforme since dbaron checked in a similar patch before this one got done. If someone else wants to land this patch feel free to.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•