Last Comment Bug 320375 - CVE-2006-0298 Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::ParseBuffer]
: CVE-2006-0298 Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::...
Status: RESOLVED FIXED
[sg:low] Read past end of buffer; may...
: fixed1.8.0.1, fixed1.8.1, topcrash
Product: Core
Classification: Components
Component: XML (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.8.1
Assigned To: Peter Van der Beken [:peterv]
: Ashish Bhatt
: Andrew Overholt [:overholt]
Mentors:
http://bonsai.mozilla.org/cvsblame.cg...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-15 05:23 PST by Peter Van der Beken [:peterv]
Modified: 2006-03-10 13:16 PST (History)
6 users (show)
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.1+
bob: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
v1 (755 bytes, patch)
2005-12-15 05:34 PST, Peter Van der Beken [:peterv]
mrbkap: review+
jst: superreview+
dveditz: approval1.8.0.1+
dveditz: approval1.8.1+
Details | Diff | Splinter Review

Description Peter Van der Beken [:peterv] 2005-12-15 05:23:20 PST
Jst discovered this while helping me debug my patch for bug 274777 (I'd already fixed it without realizing it in my patch for bug 22942).

See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/parser/htmlparser/src/nsExpatDriver.cpp&rev=3.86&mark=879#871 It should read |startOffset = aLength / sizeof(PRUnichar);|.
Comment 1 Peter Van der Beken [:peterv] 2005-12-15 05:34:17 PST
Created attachment 205954 [details] [diff] [review]
v1
Comment 2 Peter Van der Beken [:peterv] 2005-12-15 06:27:51 PST
There's quite a bit of crashes in Talkback that seem caused by this: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsExpatDriver::ParseBuffer&vendor=MozillaOrg&product=Firefox15&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid It's number 37 in the topcrashers list for 1.5. The crash usually happens when we access the buffer, probably with an index that's too big: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/parser/htmlparser/src/nsExpatDriver.cpp&mark=892&rev=MOZILLA_1_8_BRANCH#872
Comment 3 Johnny Stenback (:jst, jst@mozilla.com) 2005-12-15 07:53:37 PST
Comment on attachment 205954 [details] [diff] [review]
v1

sr=jst
Comment 4 Blake Kaplan (:mrbkap) (PTO until Jan. 2, 2017) 2005-12-15 10:23:09 PST
Comment on attachment 205954 [details] [diff] [review]
v1

r=mrbkap
Comment 5 Peter Van der Beken [:peterv] 2005-12-16 07:27:49 PST
Checked in on trunk.
Comment 6 Mike Schroepfer 2005-12-19 15:51:22 PST
Can we bake a few more takes and then we'll consider.
Comment 7 Daniel Veditz [:dveditz] 2006-01-03 16:14:00 PST
Comment on attachment 205954 [details] [diff] [review]
v1

a=dveditz
Please add the fixed1.8.0.1 and fixed1.8.1 when checked in to the branches
Comment 8 Marcia Knous [:marcia - use ni] 2006-01-12 15:59:12 PST
Would like to verify this on the branch, but without a testcase or STR it is tough. Can someone help here?
Comment 9 Marcia Knous [:marcia - use ni] 2006-01-18 11:24:05 PST
In order to certify the 1.5.0.1 release, I have been asked to verify this bug. Can I please get some help getting a testcase or STR to verify?  Thanks.
Comment 10 Peter Van der Beken [:peterv] 2006-01-18 11:31:50 PST
I'll try to come up with a testcase but it's not trivial. This bug was discovered through code inspection.
Note that there are a bunch of talkbacks (see comment 2), but I never got the crash myself.
Comment 11 Marcia Knous [:marcia - use ni] 2006-01-18 11:52:32 PST
Peter: I don't want to cause excessive work, so if it will take too much time we can have someone inspect the code to verify.

(In reply to comment #10)
> I'll try to come up with a testcase but it's not trivial. This bug was
> discovered through code inspection.
> Note that there are a bunch of talkbacks (see comment 2), but I never got the
> crash myself.
> 

Comment 12 Peter Van der Beken [:peterv] 2006-01-23 08:19:24 PST
The patch that caused this wasn't checked in on the 1.7.x branch.
Comment 13 David Baron :dbaron: ⌚️UTC-10 2006-03-10 13:16:46 PST
nsExpatDriver::ParseBuffer is still showing up as a topcrash for Fx 1.5.0.1.

Note You need to log in before you can comment on or make changes to this bug.