Closed
Bug 688882
Opened 14 years ago
Closed 14 years ago
Investigate stack buffer overflow in nsLocalFile::EnsureShortPath
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: bsterne, Assigned: bbondy)
Details
(Whiteboard: [sg:nse])
Attachments
(1 file)
|
1.49 KB,
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
Fabian Yamaguchi of Recurity Labs on behalf of BSI (German Federal Office for Information Security) reported the following to security@mozilla.org:
Method: nsLocalFile::EnsureShortPath
Component:
The bug is contained in the nsLocalFile Implementation for Windows.
Summary:
The method nsLocalFile::EnsureShortPath contains a call to GetShortPathName, which potentially overflows a stackbased buffer.
Overview:
The method nsLocalFile::EnsureShortPath reads a path name into a local stackbuffer by using the Win32 API function GetShortPathNameW. This function expects the number of widecharacters that the destination buffer can hold as its last argument. In EnsureShortPath, this third parameter has mistakenly been chosen to contain the number of bytes the buffer consists of, which is twice as much as the number of widecharacters it can hold. Therefore, it may be possible to trigger a stack based bufferoverflow.
Actual Results:
A local stackbuffer can potentially be overflowed.
Expected Results:
The buffer cannot be overflowed.
Additional Information:
The vulnerable code is the following.
void nsLocalFile::EnsureShortPath()
{
[...]
WCHAR thisshort[MAX_PATH];
DWORD thisr = ::GetShortPathNameW(mWorkingPath.get(), thisshort,
sizeof(thisshort));
[...]
}
|
||
Comment 1•14 years ago
|
||
I don't think this is actually a security problem because we never use \\?\ style paths, so they cannot be longer than MAX_PATH. But we should still fix the code.
Assignee: nobody → netzen
Group: core-security
Whiteboard: [sg:nse]
|
Assignee | |
Comment 2•14 years ago
|
||
Attachment #562479 -
Flags: review?(benjamin)
|
|
||
Updated•14 years ago
|
Attachment #562479 -
Flags: review?(benjamin) → review+
|
|
Assignee | |
Comment 3•14 years ago
|
||
|
|
Assignee | |
Comment 4•14 years ago
|
||
Pushed to inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/c872ba5d7b05
|
||
Comment 5•14 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4ca939ac46fa
I accidentally pushed this patch to mozilla-central while it was living on inbound. On the next merge, it will be merged. Sorry for the mess!
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
|
|
||
Comment 6•14 years ago
|
||
Merged from inbound: https://hg.mozilla.org/mozilla-central/rev/c872ba5d7b05
You need to log in
before you can comment on or make changes to this bug.
Description
•