Closed
Bug 554120
Opened 14 years ago
Closed 14 years ago
Potential out-of-bounds memory read in nsStandardURL.cpp
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a4
People
(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)
Details
Attachments
(1 file, 1 obsolete file)
1.06 KB,
patch
|
Details | Diff | Splinter Review |
In nsStandardURL::GetRelativeSpec() while ((*(thatIndex-1) != '/') && (thatIndex != startCharPos)) thatIndex--; Notice that we read from thatIndex-1 before we check that it's in range. This is unlikely to cause a crash except under pathological conditions (startCharPos is at the start of a page, and the page before is unmapped), and the invalid read doesn't look exploitable since we do the range check immediately after, so this probably shouldn't be marked as a security bug. But I'd like a second opinion before unmarking it.
Assignee | ||
Comment 1•14 years ago
|
||
Attachment #433993 -
Flags: review?(cbiesinger)
Comment 2•14 years ago
|
||
Comment on attachment 433993 [details] [diff] [review] Patch all standardurls have a slash after the scheme. so, this should not be a problem. but sure.
Attachment #433993 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Comment 3•14 years ago
|
||
(In reply to comment 2) I see. Well...better safe than sorry. :)
Keywords: checkin-needed
Updated•14 years ago
|
Assignee: nobody → justin.lebar+bug
Group: core-security
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•14 years ago
|
||
Maybe this patch will apply? I rebased, but that didn't change the patch, so I'm not sure why it didn't work originally. In any case, the old patch didn't include MQ headers, which certainly should be there.
Attachment #433993 -
Attachment is obsolete: true
Assignee | ||
Updated•14 years ago
|
Keywords: checkin-needed
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/0bab0ee2767e
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
You need to log in
before you can comment on or make changes to this bug.
Description
•