Closed
Bug 283565
Opened 20 years ago
Closed 19 years ago
Improper use of Realloc (mlk/crash) and silly return value for OOM
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
()
Details
(4 keywords, Whiteboard: [kerh-cuz] [sg:low?])
Attachments
(1 file, 1 obsolete file)
|
1.17 KB,
patch
|
KaiE
:
review+
dveditz
:
superreview+
dveditz
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/xpcom/build/nsXPCOM.h&rev=1.15&mark=227-246#226 see also bug 248695 / bug 244478 comment 13.
|
||
Comment 1•20 years ago
|
||
Attachment #176371 -
Flags: superreview?(dveditz)
Attachment #176371 -
Flags: review?(timeless)
Attachment #176371 -
Flags: review+
|
||
Updated•19 years ago
|
Whiteboard: [kerh-cuz]
|
||
Comment 2•19 years ago
|
||
Comment on attachment 176371 [details] [diff] [review] Handle realloc correct and return correct error As long as we're touching this code we should clean it up. combine the Realloc/Alloc cases by dropping the if (mData) test. There's also no way for len to be < 0 so the final else assertion/return is just silly. if (len) if (mLen < len) realloc... memcpy else if (mData) free
Attachment #176371 -
Flags: superreview?(dveditz) → superreview-
|
||
Comment 3•19 years ago
|
||
*** Bug 334188 has been marked as a duplicate of this bug. ***
|
|
||
Comment 4•19 years ago
|
||
When realloc decides to move the data, the existing code creates a dangling-pointer situation, so it could be a security hole.
Group: security
Flags: blocking1.8.0.3?
Whiteboard: [kerh-cuz] → [kerh-cuz] [sg:critical?]
Assignee: dewildt → timeless
Attachment #176371 -
Attachment is obsolete: true
Attachment #218583 -
Flags: superreview?(dveditz)
Attachment #218583 -
Flags: review?(jruderman)
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
|
|
||
Comment 6•19 years ago
|
||
Comment on attachment 218583 [details] [diff] [review] consistently use realloc sr=dveditz
Attachment #218583 -
Flags: superreview?(dveditz)
Attachment #218583 -
Flags: superreview+
Attachment #218583 -
Flags: review?(kengert)
Attachment #218583 -
Flags: review?(jruderman)
|
|
||
Comment 7•19 years ago
|
||
Comment on attachment 218583 [details] [diff] [review] consistently use realloc r=kengert
Attachment #218583 -
Flags: review?(kengert) → review+
|
|
||
Comment 8•19 years ago
|
||
Comment on attachment 218583 [details] [diff] [review] consistently use realloc approved for 1.8.0 branch, a=dveditz for drivers
Attachment #218583 -
Flags: approval1.8.0.4+
Attachment #218583 -
Flags: approval-branch-1.8.1+
|
|
||
Comment 9•19 years ago
|
||
Checked in on trunk and 1.8/1.8.0 branches:
> new revision: 1.9.28.1.2.1; previous revision: 1.9.28.1
> new revision: 1.9.28.2; previous revision: 1.9.28.1
> new revision: 1.12; previous revision: 1.11Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.4,
fixed1.8.1
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 10•19 years ago
|
||
The only use of nsNSSASN1PrintableItem::SetData I can find in Mozilla code is from buildASN1ObjectFromDER http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSASN1Object.cpp&rev=1.12&mark=204,209#203 Since that creates a fresh new printableItem and calls SetData on it once this must have used the alloc path and not the realloc path, thus this wasn't exploitable in practice. Perhaps in a non-Mozilla PSM client, if there is such a thing. Kai: am I missing another use of this object?
Whiteboard: [kerh-cuz] [sg:critical?] → [kerh-cuz] [sg:low?]
|
|
||
Updated•19 years ago
|
Group: security
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•