Closed Bug 618643 Opened 14 years ago Closed 13 years ago

No integer overflow check at nsScannerBufferList::AllocBufferFromString

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
1.9.2 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: alexander.miller, Unassigned)

Details

(Whiteboard: [sg:moderate] a problem on future machines?)

Attachments

(1 file)

Fix.
1.18 KB, patch
hsivonen
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: 

At http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#52 , a string of at least 2^31 - 5 bytes will cause an overflow, and result in an incorrect amount of memory being allocated.

Reproducible: Didn't try




Because 32-bit windows by default can only keep track of 2 GB of memory addresses, this should not be exploitable on that platform.
Whiteboard: [sg:critical?]
I'm not sure whether it's actually possible to construct a scenario where such a huge string will reach this code, but it certainly looks fragile/risky. Maybe you'd need a 64-bit system in order to reach this without hitting an OOM failure earlier? But I'm just speculating, really.

While we're here, there's a similar unchecked calculation in the following nsScannerBufferList::AllocBuffer() function; if someone can cause this to be called with a "capacity" argument of almost 2^31, the calculation will overflow.
http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#74
Version: unspecified → 1.9.2 Branch
Alex: adding your own "[sg:" marking to the whiteboard bypasses the security bug triage process and can counter-productively sideline your bug: the triage team won't see it and there's no assignee to take care of it. Eventually it will become a "critical bug not touched in a while" (assuming you don't poke at it yourself) and then get noticed.
Whiteboard: [sg:critical?]
Confirming by inspection, not convinced this is exploitable in practice. To start with you'd already have to have just shy of 4G memory tied up in the string passed to AllocBufferFromString(), not counting the memory tied up with the document we parsed that string out of.
Status: UNCONFIRMED → NEW
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Ever confirmed: true
Whiteboard: [sg:low]
(In reply to comments #2 & #3)

Sorry, and as much as I hate playing the blame game Bas said it was okay. Also, this seems exploitable on 64-bit systems with a good deal of memory, especially if an attacker triggers the overflow using a text/html data: URL.
If you can construct a testcase that crashes a consumer-grade PC due to this bug we can re-evaluate, but at the moment it doesn't seem to be a pressing issue. We should fix it anyway, of course.
Whiteboard: [sg:low] → [sg:moderate] a problem on future machines?
I don't understand the downgrade to sg:moderate. Many Linux distros are already 64-bit, and we're about to ship Firefox 4 as 64-bit for Mac OS X 10.6.

Does this bug exist on trunk?
(In reply to comment #7)
> I don't understand the downgrade to sg:moderate. Many Linux distros are already
> 64-bit, and we're about to ship Firefox 4 as 64-bit for Mac OS X 10.6.
> 
> Does this bug exist on trunk?

It should, as this bug is in trunk code.
Attached patch Fix.Splinter Review 

        Attachment #563784 -
        Flags: review?

    
    

    
  
Johnny, did you mean to ask for somebody's review? :-)

    
    

    
  
I did! But I failed because that person was not on the cc list, and this bug is restricted etc...

        Attachment #563784 -
        Flags: review? → review?(hsivonen)

        Attachment #563784 -
        Flags: review?(hsivonen) → review+

    
    

    
  
Looks like this got merged to m-c.

http://hg.mozilla.org/mozilla-central/rev/22f7fdf1512b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: