Closed Bug 369413 Opened 18 years ago Closed 18 years ago

atob("") causes "ASSERTION: index exceeds allowable range" in nsTString.h

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: bzbarsky)

Details

(4 keywords, Whiteboard: [sg:moderate?])

Attachments

(2 files)

Length checks
1.03 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.8.1.2+
dveditz
: approval1.8.0.10+
Details | Diff | Splinter Review
Branch build bustage fix
1.02 KB, patch
Details | Diff | Splinter Review
Steps to reproduce: atob(null) or atob("") Result: ###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file ../../dist/include/string/nsTString.h, line 133 Filing as security-sensitive because it looks like there is no runtime check to prevent reading past the end of the string.
Attached patch Length checksSplinter Review
This is a stack-allocated buffer, so we're definitely reading within it. But we're reading random memory. ;)
Attachment #254089 - Flags: superreview?(jst)
Attachment #254089 - Flags: review?(jst)
Assignee: general → bzbarsky
OS: Mac OS X → All
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 254089 [details] [diff] [review] Length checks Yeah, should've seen this when I changed this code... r+sr=jst
Attachment #254089 - Flags: superreview?(jst)
Attachment #254089 - Flags: superreview+
Attachment #254089 - Flags: review?(jst)
Attachment #254089 - Flags: review+
Fixed. I should have seen this when I reviewed this code... ;)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 254089 [details] [diff] [review] Length checks Very simple change to length-check a string before looking at its chars.
Attachment #254089 - Flags: approval1.8.1.2?
Attachment #254089 - Flags: approval1.8.0.10?
Whiteboard: [sg:moderate?]
Comment on attachment 254089 [details] [diff] [review] Length checks approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #254089 - Flags: approval1.8.1.2?
Attachment #254089 - Flags: approval1.8.1.2+
Attachment #254089 - Flags: approval1.8.0.10?
Attachment #254089 - Flags: approval1.8.0.10+
Whiteboard: [sg:moderate?] → [sg:moderate?] needs landing on branches
Fixed on branches
Keywords: fixed1.8.0.10, fixed1.8.1.2
Group: security
Whiteboard: [sg:moderate?] needs landing on branches → [sg:moderate?]
Crashtest checked in.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: