All users were logged out of Bugzilla on October 13th, 2018

Off-by-one in mar_consume_index

RESOLVED FIXED in mozilla1.8final

Status

()

RESOLVED FIXED
13 years ago
10 years ago

People

(Reporter: madmoose, Assigned: darin.moz)

Tracking

({fixed1.8})

unspecified
mozilla1.8final
PowerPC
Mac OS X
fixed1.8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050704 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050704 Firefox/1.0+

When reading in an entry in a .mar index, mar_consume_index verifies the
existance of 2 PRUint's, and a name of at least 1 byte and a null byte. It then
proceeds to read in 3 PRUint's and a name.

See http://lxr.mozilla.org/seamonkey/source/modules/libmar/src/mar_read.c#114

Reproducible: Always

Steps to Reproduce:
(Assignee)

Comment 1

13 years ago
thanks for the bug report.  -> me
Assignee: nobody → darin
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

13 years ago
Blocks: 296303
(Assignee)

Comment 2

13 years ago
This bug was introduced when I extended the MAR file format to include the flags
field.  It's a fairly minor bug as there should be no way for Firefox to read a
malicious or corrupt MAR file.
Status: NEW → ASSIGNED
Target Milestone: --- → Firefox1.1
(Assignee)

Comment 3

13 years ago
Created attachment 190490 [details] [diff] [review]
v1 patch
Attachment #190490 - Flags: review?(benjamin)

Updated

13 years ago
Attachment #190490 - Flags: review?(benjamin) → review+
(Assignee)

Updated

13 years ago
Attachment #190490 - Flags: approval1.8b4?

Updated

13 years ago
Attachment #190490 - Flags: approval1.8b4? → approval1.8b4+
(Assignee)

Comment 4

13 years ago
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Updated

13 years ago
Keywords: fixed1.8
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.