Closed
Bug 333555
Opened 19 years ago
Closed 19 years ago
Coverity Crash if item is null [@ sec_asn1d_prepare_for_contents]
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.2
People
(Reporter: timeless, Assigned: nelson)
References
()
Details
(Keywords: coverity, crash, Whiteboard: FIPS [CID 298])
Crash Data
Attachments
(1 file)
|
840 bytes,
patch
|
alvolkov.bgs
:
review+
wtc
:
review+
|
Details | Diff | Splinter Review |
coverity thinks this path is reachable. i'm inclined to agree
|
Assignee | |
Comment 1•19 years ago
|
||
Need a wee bit more info here.
What exactly is "this path" that is reachable?
Can you state a call stack?
and the line number on which the crash is thought to occur?
990 sec_asn1d_prepare_for_contents
1119 switch (state->underlying_kind) {
1167 case SEC_ASN1_BMP_STRING:
1169 if (state->contents_length % 2) {
make this false
1175 goto regular_string_type;
1177 case SEC_ASN1_UNIVERSAL_STRING:
1179 if (state->contents_length % 4) {
make this false
1185 goto regular_string_type;
1187 case SEC_ASN1_SKIP:
1188 case SEC_ASN1_ANY:
1189 case SEC_ASN1_ANY_CONTENTS:
1196 regular_string_type:
1197 case SEC_ASN1_BIT_STRING:
1198 case SEC_ASN1_IA5_STRING:
1199 case SEC_ASN1_OCTET_STRING:
1200 case SEC_ASN1_PRINTABLE_STRING:
1201 case SEC_ASN1_T61_STRING:
1202 relyea 1.1 case SEC_ASN1_UTC_TIME:
1203 case SEC_ASN1_UTF8_STRING:
1204 case SEC_ASN1_VISIBLE_STRING:
1212 item = (SECItem *)(state->dest);
1226 if (item == NULL || state->top->filter_only) {
let item = NULL
1227 if (item != NULL) {
1230 }
1231 alloc_len = 0;
1254 if (alloc_len || ((! state->indefinite)
1255 && (state->subitems_head != NULL))) {
let !state->indefinite && state->subitems_head
1259 PORT_Assert (item->len == 0 && item->data == NULL);
crash here, item is null.
|
|
Assignee | |
Updated•19 years ago
|
Hardware: PC → All
Target Milestone: --- → 3.11.1
Version: unspecified → 3.11
|
|
Assignee | |
Updated•19 years ago
|
Priority: -- → P2
|
|
Assignee | |
Updated•19 years ago
|
Target Milestone: 3.11.1 → 3.11.2
|
|
Assignee | |
Comment 3•19 years ago
|
||
taking
Assignee: nobody → nelson
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•19 years ago
|
Whiteboard: FIPS
|
|
Assignee | |
Comment 4•19 years ago
|
||
I think a simpler description of the problem is this:
There are many paths to line 1212, which reads:
item = (SECItem *)(state->dest);
If item is assigned NULL there, and the code subsequently reaches line 1259,
it will crash there (or at places below in that same basic block)
dereferencing the null pointer "item".
This patch should avoid that, and cause the decoder to exit gracefully.
Please review.
Attachment #222454 -
Flags: superreview?(julien.pierre.bugs)
Attachment #222454 -
Flags: review?(alexei.volkov.bugs)
|
|
||
Comment 5•19 years ago
|
||
Comment on attachment 222454 [details] [diff] [review]
patch v1
r=alexei
Attachment #222454 -
Flags: review?(alexei.volkov.bugs) → review+
|
||
Updated•19 years ago
|
Attachment #222454 -
Flags: review+
|
|
Assignee | |
Comment 6•19 years ago
|
||
Comment on attachment 222454 [details] [diff] [review]
patch v1
have two reviews now.
Attachment #222454 -
Flags: superreview?(julien.pierre.bugs)
|
|
Assignee | |
Comment 7•19 years ago
|
||
Checking in util/secasn1d.c; new revision: 1.33.28.1; previous revision: 1.33
Checking in secasn1d.c; new revision: 1.34; previous revision: 1.33
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: FIPS[CID 298] → FIPS [CID 298]
|
||
Updated•19 years ago
|
Summary: Crash if item is null [@ sec_asn1d_prepare_for_contents] → Coverity Crash if item is null [@ sec_asn1d_prepare_for_contents]
|
||
Updated•14 years ago
|
Crash Signature: [@ sec_asn1d_prepare_for_contents]
You need to log in
before you can comment on or make changes to this bug.
Description
•