Closed Bug 507569 Opened 11 years ago Closed 9 years ago

crash if val is null and mSpec is not empty [@ strncmp - nsStandardURL::SegmentIs][@ PL_strncasecmp - nsStandardURL::SegmentIs]

Categories

(Core :: Networking, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: jesup)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

698 nsStandardURL::SegmentIs(const URLSegment &seg1, const char *val, const URLSegment &seg2, PRBool ignoreCase)

702     if (seg1.mLen == -1 || (!val && mSpec.IsEmpty()))
703         return PR_TRUE; // both are empty

so, if mSpec IsEmpty but val is null, we don't return.
seg2.mPos is presumably not a pointer, but merely an offset, and we're now going to try to use it as a pointer:

704     if (ignoreCase)
705         return !PL_strncasecmp(mSpec.get() + seg1.mPos, val + seg2.mPos, seg1.mLen); 
706     else
707         return !strncmp(mSpec.get() + seg1.mPos, val + seg2.mPos, seg1.mLen); 

note that crash-stats doesn't seem to have this, but we should at least change the code so coverity doesn't complain
Incredibly simple fix.  Probably no caller in practice does this, but it should be corrected.
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Attachment #535303 - Flags: review?
Attachment #535303 - Flags: review? → review?(bzbarsky)
Comment on attachment 535303 [details] [diff] [review]
Simple patch to correct this

Sure.
Attachment #535303 - Flags: review?(bzbarsky) → review+
Checked in as http://hg.mozilla.org/mozilla-central/rev/1f752e72346d
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ strncmp - nsStandardURL::SegmentIs] [@ PL_strncasecmp - nsStandardURL::SegmentIs]
You need to log in before you can comment on or make changes to this bug.