crash if val is null and mSpec is not empty [@ strncmp - nsStandardURL::SegmentIs][@ PL_strncasecmp - nsStandardURL::SegmentIs]

RESOLVED FIXED

Status

()

Core
Networking
--
critical
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: timeless, Assigned: jesup)

Tracking

({coverity, crash})

Trunk
coverity, crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
698 nsStandardURL::SegmentIs(const URLSegment &seg1, const char *val, const URLSegment &seg2, PRBool ignoreCase)

702     if (seg1.mLen == -1 || (!val && mSpec.IsEmpty()))
703         return PR_TRUE; // both are empty

so, if mSpec IsEmpty but val is null, we don't return.
seg2.mPos is presumably not a pointer, but merely an offset, and we're now going to try to use it as a pointer:

704     if (ignoreCase)
705         return !PL_strncasecmp(mSpec.get() + seg1.mPos, val + seg2.mPos, seg1.mLen); 
706     else
707         return !strncmp(mSpec.get() + seg1.mPos, val + seg2.mPos, seg1.mLen); 

note that crash-stats doesn't seem to have this, but we should at least change the code so coverity doesn't complain
(Assignee)

Comment 1

6 years ago
Created attachment 535303 [details] [diff] [review]
Simple patch to correct this

Incredibly simple fix.  Probably no caller in practice does this, but it should be corrected.
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Attachment #535303 - Flags: review?

Updated

6 years ago
Attachment #535303 - Flags: review? → review?(bzbarsky)
Comment on attachment 535303 [details] [diff] [review]
Simple patch to correct this

Sure.
Attachment #535303 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 3

6 years ago
Checked in as http://hg.mozilla.org/mozilla-central/rev/1f752e72346d
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ strncmp - nsStandardURL::SegmentIs] [@ PL_strncasecmp - nsStandardURL::SegmentIs]
You need to log in before you can comment on or make changes to this bug.