Closed
Bug 283089
Opened 20 years ago
Closed 19 years ago
Buffer overrun in extensions/transformiix/source/xslt/txXSLTNumberCounters.cpp
Categories
(Core :: XSLT, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: David.R.Gardiner, Assigned: sicking)
References
Details
Attachments
(1 file, 1 obsolete file)
|
1.07 KB,
patch
|
axel
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Running PREfast static code analysis gives the following warning:
txxsltnumbercounters.cpp(200) : warning 201: Buffer overrun for stack buffer
'buf': index 11 exceeds maximum valid index 10.
problem occurs in function 'txAlphaCounter::appendNumber'
If you create an array [11] i think that means the last element is [10].
-dave
Reproducible: Always
Steps to Reproduce:
|
Assignee | |
Comment 2•20 years ago
|
||
No need to nullterminate, we pass a length to append
Attachment #175085 -
Flags: superreview?(peterv)
Attachment #175085 -
Flags: review?(peterv)
|
||
Comment 3•20 years ago
|
||
I wouldn't like this codepath with aNumber==0. That'd call
aDest.Append(buf + 11, 0)
which isn't catching the 0 length before accessing the char*.
|
|
Assignee | |
Comment 4•20 years ago
|
||
First off this code should never be called with aNumber < 1. Also, I just looked
briefly, but it seemed like .Append was even able to handle a null-data being
passed, or does it have specialcased code for that?
|
|
Assignee | |
Comment 5•20 years ago
|
||
I stepped through the code and it didn't seem to access the data if length was 0
|
||
Comment 6•20 years ago
|
||
Comment on attachment 175085 [details] [diff] [review]
patch to fix
Although I find it a bit worrying too that we'd be able to call Append with
|buf + 11|.
Attachment #175085 -
Flags: superreview?(peterv)
Attachment #175085 -
Flags: superreview+
Attachment #175085 -
Flags: review?(peterv)
Attachment #175085 -
Flags: review+
|
|
Assignee | |
Comment 7•20 years ago
|
||
You're all wossies ;)
Ok, to this one keeps an extra unused position at the end of the buffer in case
we append an empty buffer or .Append accesses data past the end of the buffer.
I reduced the size of the buffer since an 'alpha-number' is maximum 7 chars
even for unsigned 32bit numbers.
Attachment #175085 -
Attachment is obsolete: true
Attachment #175289 -
Flags: superreview?(peterv)
Attachment #175289 -
Flags: review?(peterv)
|
|
||
Updated•20 years ago
|
Attachment #175289 -
Flags: review?(peterv) → review+
|
|
||
Comment 8•20 years ago
|
||
Comment on attachment 175289 [details] [diff] [review]
another patch
Actually, I'd be fine with buf[7] :-/.
Attachment #175289 -
Flags: superreview?(peterv) → superreview+
|
|
||
Comment 9•20 years ago
|
||
this will have a merge conflict from bug 287290, which just contains wallpaper.
I still think we should land this patch as clean up sugar.
|
|
Assignee | |
Comment 10•20 years ago
|
||
ugh, dbaron beat me to it. I'll check this in once the tree reopens though.
|
|
Assignee | |
Comment 11•19 years ago
|
||
Solving this as worksforme since dbaron checked in a similar patch before this one got done. If someone else wants to land this patch feel free to.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•