Closed Bug 554120 Opened 14 years ago Closed 14 years ago

Potential out-of-bounds memory read in nsStandardURL.cpp

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a4

People

(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)

Details

Attachments

(1 file, 1 obsolete file)

Patch with MQ headers
1.06 KB, patch
Details | Diff | Splinter Review 
In nsStandardURL::GetRelativeSpec()

    while ((*(thatIndex-1) != '/') && (thatIndex != startCharPos))
        thatIndex--; 

Notice that we read from thatIndex-1 before we check that it's in range.

This is unlikely to cause a crash except under pathological conditions (startCharPos is at the start of a page, and the page before is unmapped), and the invalid read doesn't look exploitable since we do the range check immediately after, so this probably shouldn't be marked as a security bug.  But I'd like a second opinion before unmarking it.
Attached patch Patch (obsolete) — Splinter Review 

        Attachment #433993 -
        Flags: review?(cbiesinger)

    
    

    
  
Comment on attachment 433993 [details] [diff] [review]
Patch

all standardurls have a slash after the scheme. so, this should not be a problem. but sure.

        Attachment #433993 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
(In reply to comment 2)
I see.  Well...better safe than sorry.  :)
Keywords: checkin-needed

    
  
Assignee: nobody → justin.lebar+bug
Group: core-security
Status: NEW → ASSIGNED

    
    

    
  
Patch failed to apply.
Keywords: checkin-needed

    
    

    
  


  
Maybe this patch will apply?  I rebased, but that didn't change the patch, so I'm not sure why it didn't work originally.

In any case, the old patch didn't include MQ headers, which certainly should be there.

        Attachment #433993 -
        Attachment is obsolete: true

    
  
Keywords: checkin-needed

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/0bab0ee2767e
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: