potential overflow in EvaluateAdminConfigScript




Preferences: Backend
9 years ago
4 years ago


(Reporter: bhackett, Unassigned)



Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:low] local hackery)



9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2009042316 Firefox/3.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2009042316 Firefox/3.0.10

Hi, it looks like there is a read buffer overflow in EvaluateAdminConfigScript (extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp) which can lead to an integer overflow and a buffer being marked as UINT_MAX bytes long.

I doubt this is exploitable (it looks like this is only called on streams read from a local file), but I'm marking it as a potential security problem to be careful.

The relevant code is pasted below.


nsresult EvaluateAdminConfigScript(const char *js_buffer, size_t length,
                                   const char *filename, PRBool bGlobalContext, 
                                   PRBool bCallbacks, PRBool skipFirstLine)
    JSBool ok;
    jsval result;

    if (skipFirstLine) {
        /* In order to protect the privacy of the JavaScript preferences file 
         * from loading by the browser, we make the first line unparseable
         * by JavaScript. We must skip that line here before executing 
         * the JavaScript code.
        unsigned int i = 0;
        while (i < length) {
            char c = js_buffer[i++];
            if (c == '\r') {
                if (js_buffer[i] == '\n')
            if (c == '\n')

        length -= i;
        js_buffer += i;


    ok = JS_EvaluateScript(autoconfig_cx, autoconfig_glob,
                           js_buffer, length, filename, 0, &result);


If the last character in js_buffer is '\r', the test '(js_buffer[i] == '\n')' overflows js_buffer by one byte.  If this test happens to succeed (the garbage character after js_buffer is '\n'), i will be 'length + 1' after exiting the loop and the subtraction 'length -= i' will integer overflow to UINT_MAX.  This value of length is then passed to JS_EvaluateScript.

Reproducible: Always
This would be a pretty far-fetched attack: if the attacker could modify this config file they could more easily hack Firefox by changing/replacing one of the code libraries with a variant that does some dastardly deed. But you're right there's a bug here.
Component: General → Preferences: Backend
Ever confirmed: true
OS: Windows Vista → All
Product: Firefox → Core
QA Contact: general → prefs
Hardware: x86 → All
Whiteboard: [sg:low] local hackery

Comment 2

6 years ago
Opening up per comment 1, which indicates that this is not a significant security issue. This bug is more likely to get fixed if this is open.
Group: core-security
You need to log in before you can comment on or make changes to this bug.