atob("") causes "ASSERTION: index exceeds allowable range" in nsTString.h

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
DOM: Core & HTML
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
assertion, fixed1.8.0.10, fixed1.8.1.2, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate?])

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Steps to reproduce:
  atob(null)
or
  atob("")

Result:
  ###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file ../../dist/include/string/nsTString.h, line 133

Filing as security-sensitive because it looks like there is no runtime check to prevent reading past the end of the string.
Created attachment 254089 [details] [diff] [review]
Length checks

This is a stack-allocated buffer, so we're definitely reading within it.  But we're reading random memory.  ;)
Attachment #254089 - Flags: superreview?(jst)
Attachment #254089 - Flags: review?(jst)
Assignee: general → bzbarsky
OS: Mac OS X → All
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 254089 [details] [diff] [review]
Length checks

Yeah, should've seen this when I changed this code... r+sr=jst
Attachment #254089 - Flags: superreview?(jst)
Attachment #254089 - Flags: superreview+
Attachment #254089 - Flags: review?(jst)
Attachment #254089 - Flags: review+
Fixed.  I should have seen this when I reviewed this code... ;)
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Comment on attachment 254089 [details] [diff] [review]
Length checks

Very simple change to length-check a string before looking at its chars.
Attachment #254089 - Flags: approval1.8.1.2?
Attachment #254089 - Flags: approval1.8.0.10?
(Reporter)

Updated

11 years ago
Whiteboard: [sg:moderate?]
Comment on attachment 254089 [details] [diff] [review]
Length checks

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #254089 - Flags: approval1.8.1.2?
Attachment #254089 - Flags: approval1.8.1.2+
Attachment #254089 - Flags: approval1.8.0.10?
Attachment #254089 - Flags: approval1.8.0.10+

Updated

11 years ago
Whiteboard: [sg:moderate?] → [sg:moderate?] needs landing on branches
Fixed on branches
Keywords: fixed1.8.0.10, fixed1.8.1.2
Created attachment 254237 [details] [diff] [review]
Branch build bustage fix
Group: security
(Reporter)

Updated

10 years ago
Whiteboard: [sg:moderate?] needs landing on branches → [sg:moderate?]
(Reporter)

Comment 8

10 years ago
Crashtest checked in.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.