Closed
Bug 618643
Opened 14 years ago
Closed 13 years ago
No integer overflow check at nsScannerBufferList::AllocBufferFromString
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: alexander.miller, Unassigned)
Details
(Whiteboard: [sg:moderate] a problem on future machines?)
Attachments
(1 file)
1.18 KB,
patch
|
hsivonen
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: At http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#52 , a string of at least 2^31 - 5 bytes will cause an overflow, and result in an incorrect amount of memory being allocated. Reproducible: Didn't try Because 32-bit windows by default can only keep track of 2 GB of memory addresses, this should not be exploitable on that platform.
Reporter | ||
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Comment 1•14 years ago
|
||
I'm not sure whether it's actually possible to construct a scenario where such a huge string will reach this code, but it certainly looks fragile/risky. Maybe you'd need a 64-bit system in order to reach this without hitting an OOM failure earlier? But I'm just speculating, really. While we're here, there's a similar unchecked calculation in the following nsScannerBufferList::AllocBuffer() function; if someone can cause this to be called with a "capacity" argument of almost 2^31, the calculation will overflow. http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsScannerString.cpp#74
Reporter | ||
Updated•14 years ago
|
Version: unspecified → 1.9.2 Branch
Comment 2•14 years ago
|
||
Alex: adding your own "[sg:" marking to the whiteboard bypasses the security bug triage process and can counter-productively sideline your bug: the triage team won't see it and there's no assignee to take care of it. Eventually it will become a "critical bug not touched in a while" (assuming you don't poke at it yourself) and then get noticed.
Whiteboard: [sg:critical?]
Comment 4•14 years ago
|
||
Confirming by inspection, not convinced this is exploitable in practice. To start with you'd already have to have just shy of 4G memory tied up in the string passed to AllocBufferFromString(), not counting the memory tied up with the document we parsed that string out of.
Status: UNCONFIRMED → NEW
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Ever confirmed: true
Whiteboard: [sg:low]
Reporter | ||
Comment 5•14 years ago
|
||
(In reply to comments #2 & #3) Sorry, and as much as I hate playing the blame game Bas said it was okay. Also, this seems exploitable on 64-bit systems with a good deal of memory, especially if an attacker triggers the overflow using a text/html data: URL.
Comment 6•14 years ago
|
||
If you can construct a testcase that crashes a consumer-grade PC due to this bug we can re-evaluate, but at the moment it doesn't seem to be a pressing issue. We should fix it anyway, of course.
Whiteboard: [sg:low] → [sg:moderate] a problem on future machines?
Comment 7•14 years ago
|
||
I don't understand the downgrade to sg:moderate. Many Linux distros are already 64-bit, and we're about to ship Firefox 4 as 64-bit for Mac OS X 10.6. Does this bug exist on trunk?
Reporter | ||
Comment 8•13 years ago
|
||
(In reply to comment #7) > I don't understand the downgrade to sg:moderate. Many Linux distros are already > 64-bit, and we're about to ship Firefox 4 as 64-bit for Mac OS X 10.6. > > Does this bug exist on trunk? It should, as this bug is in trunk code.
Comment 9•13 years ago
|
||
Attachment #563784 -
Flags: review?
Comment 10•13 years ago
|
||
Johnny, did you mean to ask for somebody's review? :-)
Comment 11•13 years ago
|
||
I did! But I failed because that person was not on the cc list, and this bug is restricted etc...
Updated•13 years ago
|
Attachment #563784 -
Flags: review? → review?(hsivonen)
Updated•13 years ago
|
Attachment #563784 -
Flags: review?(hsivonen) → review+
Comment 13•13 years ago
|
||
Looks like this got merged to m-c. http://hg.mozilla.org/mozilla-central/rev/22f7fdf1512b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•