Last Comment Bug 369413 - atob("") causes "ASSERTION: index exceeds allowable range" in nsTString.h
: atob("") causes "ASSERTION: index exceeds allowable range" in nsTString.h
Status: RESOLVED FIXED
[sg:moderate?]
: assertion, fixed1.8.0.10, fixed1.8.1.2, testcase
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz]
: Hixie (not reading bugmail)
Mentors:
Depends on:
Blocks: 326633
  Show dependency treegraph
 
Reported: 2007-02-05 15:27 PST by Jesse Ruderman
Modified: 2007-12-14 19:19 PST (History)
1 user (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Length checks (1.03 KB, patch)
2007-02-05 15:59 PST, Boris Zbarsky [:bz]
jst: review+
jst: superreview+
dveditz: approval1.8.1.2+
dveditz: approval1.8.0.10+
Details | Diff | Review
Branch build bustage fix (1.02 KB, patch)
2007-02-06 17:00 PST, Boris Zbarsky [:bz]
no flags Details | Diff | Review

Description Jesse Ruderman 2007-02-05 15:27:44 PST
Steps to reproduce:
  atob(null)
or
  atob("")

Result:
  ###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file ../../dist/include/string/nsTString.h, line 133

Filing as security-sensitive because it looks like there is no runtime check to prevent reading past the end of the string.
Comment 1 Boris Zbarsky [:bz] 2007-02-05 15:59:27 PST
Created attachment 254089 [details] [diff] [review]
Length checks

This is a stack-allocated buffer, so we're definitely reading within it.  But we're reading random memory.  ;)
Comment 2 Johnny Stenback (:jst, jst@mozilla.com) 2007-02-05 22:35:39 PST
Comment on attachment 254089 [details] [diff] [review]
Length checks

Yeah, should've seen this when I changed this code... r+sr=jst
Comment 3 Boris Zbarsky [:bz] 2007-02-05 22:44:02 PST
Fixed.  I should have seen this when I reviewed this code... ;)
Comment 4 Boris Zbarsky [:bz] 2007-02-05 22:45:10 PST
Comment on attachment 254089 [details] [diff] [review]
Length checks

Very simple change to length-check a string before looking at its chars.
Comment 5 Daniel Veditz [:dveditz] 2007-02-06 11:02:55 PST
Comment on attachment 254089 [details] [diff] [review]
Length checks

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 6 Boris Zbarsky [:bz] 2007-02-06 16:19:32 PST
Fixed on branches
Comment 7 Boris Zbarsky [:bz] 2007-02-06 17:00:42 PST
Created attachment 254237 [details] [diff] [review]
Branch build bustage fix
Comment 8 Jesse Ruderman 2007-12-14 19:19:14 PST
Crashtest checked in.

Note You need to log in before you can comment on or make changes to this bug.