Closed
Bug 538939
Opened 15 years ago
Closed 15 years ago
Misuse of PR_GetErrorTextLength when allocating error message buffers
Categories
(NSS :: Tools, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.7
People
(Reporter: glandium, Assigned: glandium)
Details
Attachments
(1 file)
6.87 KB,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
This was noticed while playing around with modutil, adding a module which library couldn't dlload()ed, and modutil crashed badly:
*** glibc detected *** ./modutil: free(): invalid next size (fast): 0x0000000001ddfb50 ***
(leaving out the backtrace and memory map)
The problem is that none of the PR_Malloc() calls that depend on PR_GetErrorTextLength in NSS are safe: PR_GetErrorTextLength returns the text length, which means it doesn't include space for the terminating NULL character.
PR_GetErrorText, itself, copies length + 1 characters, so the buffers are under-alloc'ed.
Assignee | ||
Updated•15 years ago
|
Attachment #421019 -
Attachment is patch: true
Attachment #421019 -
Attachment mime type: application/octet-stream → text/plain
Attachment #421019 -
Flags: review?(wtc)
Comment 1•15 years ago
|
||
Comment on attachment 421019 [details] [diff] [review]
patch
r=wtc. Thanks for the patch.
See my comment in bug 538940 comment 1 for the background
of the off-by-one problem of PR_GetErrorTextLength.
In short, the current implementation of PR_GetErrorTextLength
doesn't match the originally intended specification. After
I have verified that the current implementation is self-consistent,
I'll change the documentation of PR_GetErrorTextLength to
reflect the current implementation.
Attachment #421019 -
Flags: review?(wtc) → review+
Updated•15 years ago
|
Comment 2•15 years ago
|
||
Bug 538939: Fix allocation of error message buffers for PR_GetErrorTextLength
Patch contributed by Mike Hommey <mh+mozilla@glandium.org>, r=wtc
Checking in modutil/pk11.c; new revision: 1.30; previous revision: 1.29
Checking in signtool/javascript.c; new revision: 1.7; previous revision: 1.6
Checking in signtool/zip.c; new revision: 1.6; previous revision: 1.5
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•