Closed
Bug 692817
Opened 13 years ago
Closed 13 years ago
nsA(C)String::SetLength overflow in EncodeInputStream
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
People
(Reporter: mayhemer, Assigned: benjamin)
Details
(Whiteboard: [sg:critical][qa-])
Attachments
(1 file)
946 bytes,
patch
|
dbaron
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
http://hg.mozilla.org/mozilla-central/annotate/bd1411e362fb/xpcom/io/Base64.cpp#l198 Result of |(aCount + 2) / 3 * 4 + aOffset| may overflow based on the argument aCount and aOffset. The resulting buffer size result could be truncated and we'll write (potentially attacker controlled content) past the buffer. Reporting as unconfirmed since I'm not sure there is somewhere an overflow check, but doesn't seems to be, and also not sure this is easily exploitable. I can try to create a test case.
Reporter | ||
Comment 1•13 years ago
|
||
All potential consumers: http://mxr.mozilla.org/mozilla-central/ident?i=Base64EncodeInputStream
Comment 2•13 years ago
|
||
Clearing sg:critical to trigger triage while we confirm a problem here
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
Comment 3•13 years ago
|
||
This has been sg:critical in the past (we had a case in a user of the nspr base64 implementation) and we should just fix it.
Assignee: nobody → benjamin
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical]
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → +
Assignee | ||
Comment 4•13 years ago
|
||
I don't know how to write an automated test for this without allocating 2G of memory, but suggestions welcome.
Attachment #576997 -
Flags: review?(dbaron)
Comment on attachment 576997 [details] [diff] [review] Use 64-bit math and check for overflow, rev. 1 r=dbaron, though it seems like it's probably better to have PRUint64(aCount), i.e.: PRUint64 countlong = (PRUint64(aCount) + 2) / 3 * 4; in case aCount itself is within 2 of PR_UINT32_MAX.
Attachment #576997 -
Flags: review?(dbaron) → review+
Updated•13 years ago
|
Attachment #576997 -
Flags: approval-mozilla-beta?
Attachment #576997 -
Flags: approval-mozilla-aurora?
Comment 6•13 years ago
|
||
bsmedberg, can we get this landed on m-c?
Comment 7•13 years ago
|
||
Comment on attachment 576997 [details] [diff] [review] Use 64-bit math and check for overflow, rev. 1 [Triage Comment] Minusing for aurora and beta, but please re-nominate for aurora once this lands on m-c (we'll stick with - for beta given where we are in the cycle now).
Attachment #576997 -
Flags: approval-mozilla-beta?
Attachment #576997 -
Flags: approval-mozilla-beta-
Attachment #576997 -
Flags: approval-mozilla-aurora?
Attachment #576997 -
Flags: approval-mozilla-aurora-
Comment 8•13 years ago
|
||
I'd still like to get this in for 10, it's a trivial patch for an exploitable bug. Benjamin, can you land this on m-c?
Assignee | ||
Comment 9•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa47e51cbd8a
Comment 10•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/aa47e51cbd8a
status-firefox12:
--- → fixed
tracking-firefox12:
--- → +
Comment 11•13 years ago
|
||
Comment on attachment 576997 [details] [diff] [review] Use 64-bit math and check for overflow, rev. 1 Trivial patch for an sg:critical bug, we should IMO fix this on aurora and beta.
Attachment #576997 -
Flags: approval-mozilla-beta?
Attachment #576997 -
Flags: approval-mozilla-beta-
Attachment #576997 -
Flags: approval-mozilla-aurora?
Attachment #576997 -
Flags: approval-mozilla-aurora-
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 12•13 years ago
|
||
Comment on attachment 576997 [details] [diff] [review] Use 64-bit math and check for overflow, rev. 1 [Triage Comment] Approved for aurora and beta based upon the trivial nature of this sg:crit patch.
Attachment #576997 -
Flags: approval-mozilla-beta?
Attachment #576997 -
Flags: approval-mozilla-beta+
Attachment #576997 -
Flags: approval-mozilla-aurora?
Attachment #576997 -
Flags: approval-mozilla-aurora+
http://hg.mozilla.org/releases/mozilla-aurora/rev/bb54e4c3ad09 http://hg.mozilla.org/releases/mozilla-beta/rev/a7beadd61664
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 14•12 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #0) > I can try to create a test case. Were you able to come up with a testcase? QA needs it to verify the fix. Thanks.
Whiteboard: [sg:critical] → [sg:critical][qa?]
Reporter | ||
Comment 15•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #14) > (In reply to Honza Bambas (:mayhemer) from comment #0) > > I can try to create a test case. > > Were you able to come up with a testcase? QA needs it to verify the fix. > Thanks. I wasn't. I could try, but please be patient.
Comment 16•12 years ago
|
||
Sure Honza, thanks. I'd like to get this verified before Firefox 11 is released if at all possible so if I can have it in the next month that would be fine.
Updated•12 years ago
|
status-firefox-esr10:
--- → fixed
Updated•12 years ago
|
tracking-firefox-esr10:
--- → 10+
Comment 17•12 years ago
|
||
Any luck on a testcase here?
Reporter | ||
Comment 18•12 years ago
|
||
No time so far, sorry.
Updated•12 years ago
|
Group: core-security
Comment 19•12 years ago
|
||
qa- until testcase-wanted is satisfied.
Whiteboard: [sg:critical][qa?] → [sg:critical][qa-]
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•