Closed
Bug 314456
Opened 20 years ago
Closed 20 years ago
decodeURIComponent and confirmEx show parts of the memory
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: legege, Assigned: mrbkap)
References
Details
(Keywords: verified1.7.13, verified1.8, Whiteboard: [sg:low] minor memory leak [patch])
Attachments
(1 file, 1 obsolete file)
|
2.25 KB,
patch
|
brendan
:
review+
dveditz
:
superreview+
dveditz
:
approval-aviary1.0.8+
dveditz
:
approval1.7.13+
asa
:
approval1.8rc2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
This peace of code shows a part of the memory.
var s=decodeURIComponent("");
Components.classes["@mozilla.org/embedcomp/prompt-service;1"]
.getService(Components.interfaces.nsIPromptService).confirmEx(window,
"test",s,0,null, null, null, null, { });
Reproducible: Always
Steps to Reproduce:
1. Run this script
Actual Results:
A part of the memory is displayed in this message box.
Expected Results:
An empty message.
http://forums.mozillazine.org/viewtopic.php?p=1843365#1843365
|
||
Comment 1•20 years ago
|
||
Confirming, does leak a little memory. Not sure I see the point of making the bug security sensitive after making a public forum post about it...
alert and confirm available to web scripts handle the returned empty string correctly so I don't think this is a security issue (chrome scripts can already do anything).
I haven't debugged this yet, but I wonder if the problem is javascript uses length-counted strings while the raw prompt service requires null-terminated ones, and something in there isn't translating the string types correctly.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•20 years ago
|
||
Looks like the problem is in Decode() in jsstr.c, and Encode() has the same problem. (That means this also affects decodeURI, encodeURI and encoderURIComponent.) At the end the working string R->chars is realloc'd, normally OK but in the case of an empty string realloc(null, 0+1) gets you fresh memory that's never initialized.
Could special-case "" and bail early, or check for length == 0 at the end.
Assignee: nobody → dveditz
Component: General → JavaScript Engine
Product: Firefox → Core
Whiteboard: [sg:low] minor memory leak
Version: unspecified → Trunk
|
|
||
Comment 3•20 years ago
|
||
Attachment #201408 -
Flags: superreview?(brendan)
Attachment #201408 -
Flags: review?(mrbkap)
|
Assignee | |
Comment 4•20 years ago
|
||
This seems like the perfect time for a use of the emptyString (and we avoid two allocations in the process).
dveditz, what do you think?
Attachment #201436 -
Flags: superreview?(dveditz)
Attachment #201436 -
Flags: review?(brendan)
|
|
||
Comment 5•20 years ago
|
||
Comment on attachment 201436 [details] [diff] [review]
Alternative: avoid doing any work at all.
sure, the bail-early approach is better.
Attachment #201436 -
Flags: superreview?(dveditz) → superreview+
|
|
Assignee | |
Updated•20 years ago
|
Attachment #201408 -
Attachment is obsolete: true
Attachment #201408 -
Flags: superreview?(brendan)
Attachment #201408 -
Flags: review?(mrbkap)
|
|
Assignee | |
Updated•20 years ago
|
Assignee: dveditz → mrbkap
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [sg:low] minor memory leak → [sg:low] minor memory leak [patch]
|
||
Comment 6•20 years ago
|
||
Comment on attachment 201436 [details] [diff] [review]
Alternative: avoid doing any work at all.
r=me, can ride along, no risk.
/be
Attachment #201436 -
Flags: review?(brendan)
Attachment #201436 -
Flags: review+
Attachment #201436 -
Flags: approval1.8rc2?
|
|
Assignee | |
Comment 7•20 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Flags: blocking1.8rc1?
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Flags: blocking1.8rc1? → blocking1.8rc2?
|
|
||
Updated•20 years ago
|
Attachment #201436 -
Flags: approval1.8rc2? → approval1.8rc2+
|
||
Updated•20 years ago
|
Flags: blocking1.8rc2? → blocking1.8rc2+
|
||
Comment 9•20 years ago
|
||
needs to go in the "security" suite, not the js test library.
|
|
||
Updated•20 years ago
|
Flags: testcase?
|
|
||
Comment 10•20 years ago
|
||
Legendre's test will be available as tests/mozilla.org/security/314456-01.html in the qa test farm.
Flags: testcase? → testcase+
|
|
Assignee | |
Comment 11•20 years ago
|
||
Comment on attachment 201436 [details] [diff] [review]
Alternative: avoid doing any work at all.
Dan, Tim, is this something that we want on the 1.7 branch?
Attachment #201436 -
Flags: approval1.7.13?
Attachment #201436 -
Flags: approval-aviary1.0.8?
|
|
||
Comment 12•20 years ago
|
||
Comment on attachment 201436 [details] [diff] [review]
Alternative: avoid doing any work at all.
approved for old branches, a=dveditz for drivers
Attachment #201436 -
Flags: approval1.7.13?
Attachment #201436 -
Flags: approval1.7.13+
Attachment #201436 -
Flags: approval-aviary1.0.8?
Attachment #201436 -
Flags: approval-aviary1.0.8+
|
|
Assignee | |
Comment 13•20 years ago
|
||
Fix checked into the 1.7 branches.
Keywords: fixed-aviary1.0.8,
fixed1.7.13
|
|
||
Comment 14•20 years ago
|
||
v ff on 1.7.13, 1.8.0.1, 1.8, 1.9a1 windows/linux/mac 20060221, moz 1.7.13 windows 20060221
Status: RESOLVED → VERIFIED
Keywords: fixed-aviary1.0.8,
fixed1.7.13,
fixed1.8 → verified-aviary1.0.8,
verified1.7.13,
verified1.8
|
|
||
Updated•19 years ago
|
Group: security
|
|
Assignee | |
Comment 15•19 years ago
|
||
*** Bug 232223 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•