Closed Bug 300115 Opened 19 years ago Closed 19 years ago

nsXPInstallManager::OnDataAvailable may consume more data than expected

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: darin.moz, Assigned: dougt)

Details

(Keywords: fixed1.8)

Attachments

(1 file)

patch v.1
1.98 KB, patch
darin.moz
: review+
dveditz
: superreview+
asa
: approval1.8b4+
Details | Diff | Splinter Review 
nsXPInstallManager::OnDataAvailable may consume more data than expected.

The code reads data from the given stream into an 8k stack buffer.  If the
|length| parameter passed to OnDataAvailable is less than 8k and if the stream
contains more than |length| bytes, nsXPInstallManager will end up reading more
than the expected number of bytes from the stream.  In most cases this is not a
major problem for the caller; however, in this case it is a problem for
nsXPInstallManager because it decrements length by the number of bytes read from
the stream, and it does not stop reading until length reaches zero.  Since
length is an unsigned quantity, it is possible that reading more than length
bytes would result in length underflowing.  That in turn would cause
nsXPInstallManager to continue looping, and reading from the stream would likely
fail with an NS_BASE_STREAM_WOULD_BLOCK error, terminating the channel and
resulting in a failed XPI download.

This error probably occurs infrequently as additional data would have to arrive
at just the right time and be inserted into the data pipe at just the right
moment to trigger this bug.  But, the race condition does exist, so I'm sure
this bug must have impacted some user somewhere.
Attached patch patch v.1Splinter Review 
This patch ensures that we never read more then |length| on the stream.  We do
this by setting |amt| to be the min of 8k and length.

It also ensures that length remains >=0.
Assignee: darin → dougt
Status: NEW → ASSIGNED
Attachment #188690 - Flags: superreview?(dveditz)
Attachment #188690 - Flags: review?(darin)
Comment on attachment 188690 [details] [diff] [review]
patch v.1

sizeof(buffer) is good in place of XPI_ODA_BUFFER_SIZE too, but this definitely
works.	Thanks for the patch!  r=darin
Attachment #188690 - Flags: review?(darin) → review+
Comment on attachment 188690 [details] [diff] [review]
patch v.1

sr=dveditz
Attachment #188690 - Flags: superreview?(dveditz) → superreview+
Attachment #188690 - Flags: approval1.8b3?
Attachment #188690 - Flags: approval1.7.9?
Attachment #188690 - Flags: approval-aviary1.0.5?
Flags: blocking1.8b3?
Flags: blocking1.7.9?
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.5?
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking1.8b3-
Flags: blocking1.7.9?
Flags: blocking1.7.9-
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5-
Attachment #188690 - Flags: approval1.8b3? → approval1.8b4+
Attachment #188690 - Flags: approval1.7.9?
Attachment #188690 - Flags: approval-aviary1.0.5?
doug, can you land this and mark the keyword fixed1.8 when it's landed on the
branch? Thanks.
1.8 BRANCH:
Checking in nsXPInstallManager.cpp;
/cvsroot/mozilla/xpinstall/src/nsXPInstallManager.cpp,v  <--  nsXPInstallManager.cpp
new revision: 1.135.2.1; previous revision: 1.135
done

TRUNK:
Checking in nsXPInstallManager.cpp;
/cvsroot/mozilla/xpinstall/src/nsXPInstallManager.cpp,v  <--  nsXPInstallManager.cpp
new revision: 1.136; previous revision: 1.135
done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Flags: blocking1.7.13?
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: