Closed Bug 320375 Opened 19 years ago Closed 19 years ago

CVE-2006-0298 Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::ParseBuffer]

Categories

(Core :: XML, defect, P1)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: peterv, Assigned: peterv)

References

(
URL
)

Details

(Keywords: fixed1.8.0.1, fixed1.8.1, topcrash, Whiteboard: [sg:low] Read past end of buffer; may expose memory on heap)

Crash Data

Attachments

(1 file)

v1
755 bytes, patch
mrbkap
: review+
jst
: superreview+
dveditz
: approval1.8.0.1+
dveditz
: approval1.8.1+
Details | Diff | Splinter Review 
Jst discovered this while helping me debug my patch for bug 274777 (I'd already fixed it without realizing it in my patch for bug 22942).

See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/parser/htmlparser/src/nsExpatDriver.cpp&rev=3.86&mark=879#871 It should read |startOffset = aLength / sizeof(PRUnichar);|.
URL: http://bonsai.mozilla.org/cvsblame.cg...
Status: NEW → ASSIGNED
Priority: -- → P1
Attached patch v1 β€” β€” Splinter Review 

  

  



        Attachment #205954 -
        Flags: superreview?(jst)

        Attachment #205954 -
        Flags: review?(mrbkap)

    
    

    
  
There's quite a bit of crashes in Talkback that seem caused by this: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsExpatDriver::ParseBuffer&vendor=MozillaOrg&product=Firefox15&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid It's number 37 in the topcrashers list for 1.5. The crash usually happens when we access the buffer, probably with an index that's too big: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/parser/htmlparser/src/nsExpatDriver.cpp&mark=892&rev=MOZILLA_1_8_BRANCH#872

  

  


Summary: Buffer overrun in nsExpatDriver::ParseBuffer → Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::ParseBuffer]

    
    

    
  
Comment on attachment 205954 [details] [diff] [review]
v1

sr=jst

  

  



        Attachment #205954 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Comment on attachment 205954 [details] [diff] [review]
v1

r=mrbkap

  

  



        Attachment #205954 -
        Flags: review?(mrbkap) → review+

    
  
Flags: blocking1.8.0.1?
Whiteboard: [sg:low] Buffer overflow, at worst may expose memory on heap

    
  
Whiteboard: [sg:low] Buffer overflow, at worst may expose memory on heap → [sg:low] Read past end of buffer; at worst may expose memory on heap

    
  
Whiteboard: [sg:low] Read past end of buffer; at worst may expose memory on heap → [sg:moderate] Read past end of buffer; may expose memory on heap

    
  

        Attachment #205954 -
        Flags: approval1.8.0.1?

    
  
Group: security

    
    

    
  
Checked in on trunk.

  

  


Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Can we bake a few more takes and then we'll consider.


  

  



    
    

    
  
Comment on attachment 205954 [details] [diff] [review]
v1

a=dveditz
Please add the fixed1.8.0.1 and fixed1.8.1 when checked in to the branches

  

  



        Attachment #205954 -
        Flags: approval1.8.1+

        Attachment #205954 -
        Flags: approval1.8.0.1?

        Attachment #205954 -
        Flags: approval1.8.0.1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1+

    
  
Keywords: fixed1.8.0.1, 
          
            fixed1.8.1
Target Milestone: mozilla1.9alpha → mozilla1.8.1

    
    

    
  
Would like to verify this on the branch, but without a testcase or STR it is tough. Can someone help here?

  

  


Flags: testcase-

    
    

    
  
In order to certify the 1.5.0.1 release, I have been asked to verify this bug. Can I please get some help getting a testcase or STR to verify?  Thanks.

  

  



    
    

    
  
I'll try to come up with a testcase but it's not trivial. This bug was discovered through code inspection.
Note that there are a bunch of talkbacks (see comment 2), but I never got the crash myself.

  

  



    
    

    
  
Peter: I don't want to cause excessive work, so if it will take too much time we can have someone inspect the code to verify.

(In reply to comment #10)
> I'll try to come up with a testcase but it's not trivial. This bug was
> discovered through code inspection.
> Note that there are a bunch of talkbacks (see comment 2), but I never got the
> crash myself.
> 



  

  


Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?

    
    

    
  
The patch that caused this wasn't checked in on the 1.7.x branch.

  

  


Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:moderate] Read past end of buffer; may expose memory on heap → [sg:low] Read past end of buffer; may expose memory on heap

    
  
Summary: Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::ParseBuffer] → CVE-2006-0298 Buffer overrun in nsExpatDriver::ParseBuffer [@ nsExpatDriver::ParseBuffer]
Group: security

    
    

    
  
nsExpatDriver::ParseBuffer is still showing up as a topcrash for Fx 1.5.0.1.

  

  


Keywords: topcrash
Crash Signature: [@ nsExpatDriver::ParseBuffer]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: