Closed
Bug 522767
Opened 15 years ago
Closed 15 years ago
Off by one error in nsDataObj::GetFile() triggers assert
Categories
(Core :: Widget: Win32, defect, P2)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta4-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: khuey, Assigned: khuey)
Details
(Keywords: assertion)
Attachments
(1 file)
|
949 bytes,
patch
|
jimm
:
review+
roc
:
superreview+
roc
:
approval1.9.2+
|
Details | Diff | Splinter Review |
nsDataObj::GetFile() has an off by one error on the data flavors array. Because it increments the counter before reading it skips the first element of the array and tries to read one past the last. This triggers an assert at xpcom/glue/nsTArray.h at line 317 when it tries to read. This bug is encountered when trying to drag a file to the desktop when it does not support the type "application/x-moz-nativeimage". I don't think this is security-sensitive but just covering the bases.
|
Assignee | |
Updated•15 years ago
|
Attachment #406742 -
Flags: review? → review?(jmathies)
|
|
Assignee | |
Comment 2•15 years ago
|
||
This was broken by http://hg.mozilla.org/mozilla-central/rev/3ca2646bf687
|
||
Updated•15 years ago
|
Attachment #406742 -
Flags: review?(jmathies) → review+
|
|
Assignee | |
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Comment 3•15 years ago
|
||
(In reply to comment #0) > I don't think this is security-sensitive but just covering the bases. Good call. Generally, unless it's immediately obvious, err on the side of caution. In this case, since nsTArray has no fenceposting behavior to fill the last spot with some "safe" value (e.g. NULL if it were an array of pointers, or conceivably nsCString() in this case), it's not obvious things couldn't go wrong in attacker-controllable ways. Exactly what bad would happen if execution continued past that point isn't obvious, so paranoia is desirable.
|
|
Assignee | |
Comment 4•15 years ago
|
||
Comment on attachment 406742 [details] [diff] [review] Patch We'll want to take this on 1.9.2 as well. This doesn't affect 1.9.1.
Attachment #406742 -
Flags: approval1.9.2?
|
|
Assignee | |
Updated•15 years ago
|
status1.9.1:
--- → unaffected
|
||
Updated•15 years ago
|
Flags: blocking1.9.2?
|
|
||
Updated•15 years ago
|
Attachment #406742 -
Flags: superreview?(roc)
|
|
||
Comment 5•15 years ago
|
||
Comment on attachment 406742 [details] [diff] [review] Patch As per our review policy (http://www.mozilla.org/hacking/reviewers.html), all security bugs require superreview for patches.
|
|
||
Updated•15 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 6•15 years ago
|
||
(In reply to comment #5) > (From update of attachment 406742 [details] [diff] [review]) > As per our review policy (http://www.mozilla.org/hacking/reviewers.html), all > security bugs require superreview for patches. Ah I was not aware of this policy. Thanks for fixing things up for me.
Attachment #406742 -
Flags: superreview?(roc)
Attachment #406742 -
Flags: superreview+
Attachment #406742 -
Flags: approval1.9.2?
Attachment #406742 -
Flags: approval1.9.2+
|
|
||
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
|
|
||
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Updated•15 years ago
|
Whiteboard: [needs 192 landing]
|
||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e76537cc2bf1
status1.9.2:
--- → final-fixed
|
|
Assignee | |
Updated•15 years ago
|
Keywords: checkin-needed
Whiteboard: [needs 192 landing]
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•