"ASSERTION: Too few bytes in input" with single-byte UTF-16 data: URL

RESOLVED FIXED

Status

()

Core
Internationalization
P2
normal
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: Jesse Ruderman, Assigned: smontagu)

Tracking

({fixed1.8.1.22})

Trunk
fixed1.8.1.22
Points:
---
Bug Flags:
wanted-next +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low] Read past end of buffer; at worst may expose memory on heap, URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Steps to reproduce:
1. Load:
     data:text/html;charset=utf-16,%41

Result:
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file /Users/jruderman/trunk/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 229

It looks like nsUTF16ToUnicode::Convert then proceeds to read past the end of the string while trying to determine its endianness.

I don't know whether this is a bug in nsUTF16ToUnicode::Convert or a bug in the caller.
(Assignee)

Comment 1

10 years ago
nsUTF16ToUnicode::Convert, I think. Callers of converters shouldn't need to know about the byte structure of encodings.
OS: Mac OS X → All
Hardware: PC → All
(Reporter)

Updated

9 years ago
Flags: blocking1.9?
Whiteboard: [sg:low] Read past end of buffer; at worst may expose memory on heap

Updated

9 years ago
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
(Assignee)

Comment 2

9 years ago
Created attachment 298097 [details] [diff] [review]
Patch

I'm in two minds whether the Right Thing To Do here is to fail silently or return an error code, but I think the error code is preferable.
Attachment #298097 - Flags: review?(jshin1987)

Updated

9 years ago
Attachment #298097 - Flags: review?(jshin1987) → review+
Is this ready for checkin? If so, please nominate for approval1.9?
Flags: tracking1.9+ → wanted-next+
(Assignee)

Comment 4

9 years ago
Does this need approval? It was marked as blocking 1.9 and I could have checked it in before but since the change is so small I was waiting to check it in together with bug 317126 when that got reviewed.
(Assignee)

Comment 5

9 years ago
er, bug 317216
(Assignee)

Comment 6

9 years ago
Checked in to trunk, with unit test
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Attachment #298097 - Flags: approval1.9?
(Assignee)

Comment 7

8 years ago
Checked in to 1.8 branch (with bug 317216)
Keywords: fixed1.8.1.22
Group: core-security
You need to log in before you can comment on or make changes to this bug.