The default bug view has changed. See this FAQ.

"ASSERTION: We've overflowed the mSpec buffer" in nsStandardURL::BuildNormalizedSpec

VERIFIED FIXED in Firefox 9

Status

()

Core
Networking
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: jesup)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla11
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +
in-litmus -

Firefox Tracking Flags

(firefox8- wontfix, firefox9- verified, firefox10+ verified, firefox11+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa!])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 577738 [details]
testcase

###!!! ASSERTION: We've overflowed the mSpec buffer!: 'mSpec.Length() <= approxLen', file netwerk/base/src/nsStandardURL.cpp, line 697

The last major change to this function was in bug 125608.
(Reporter)

Comment 1

5 years ago
Created attachment 577739 [details]
stack trace
(Assignee)

Comment 2

5 years ago
Caused by the null password entry.  Could fix by omitting it if empty, but that would be a change in behavior and it's not clear if that would even be correct (i.e. a null password is a password), so enforce adding one byte for a password (for the ':') even if the field is empty.  Patch follows.
Assignee: nobody → rjesup
(Assignee)

Updated

5 years ago
OS: Mac OS X → All
Hardware: x86_64 → All
(Assignee)

Comment 3

5 years ago
Created attachment 577837 [details] [diff] [review]
Patch with tests

Tested; asserts without code fix, no assert with it
(Assignee)

Updated

5 years ago
Attachment #577837 - Flags: review?(bzbarsky)
(Assignee)

Comment 4

5 years ago
Worst-case analysis of this bug is it writes a '\0' to the byte following the allocation in some (not all) cases where the password is given but empty.
(Reporter)

Updated

5 years ago
Whiteboard: [sg:critical]

Updated

5 years ago
blocking1.9.2: --- → ?
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → wontfix
status-firefox9: --- → wontfix
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → -
status1.9.2: --- → wanted
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

r=me
Attachment #577837 - Flags: review?(bzbarsky) → review+
blocking1.9.2: ? → .25+
(Assignee)

Comment 6

5 years ago
inbound via https://hg.mozilla.org/integration/mozilla-inbound/rev/8304db7e46bb

The original bug never existed in 1.9.x -> unaffected

Once it's green and merged to m-c I'll ask for approvals for Aurora and Beta
blocking1.9.2: .25+ → ---
status1.9.2: wanted → unaffected
Whiteboard: [sg:critical] → [sg:critical][inbound]
(Assignee)

Comment 7

5 years ago
Merged to m-c
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][inbound] → [sg:critical]
(Assignee)

Comment 8

5 years ago
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

Now in m-c; we should get it into aurora and beta soon
Attachment #577837 - Flags: approval-mozilla-beta?
Attachment #577837 - Flags: approval-mozilla-aurora?

Comment 9

5 years ago
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

[Triage Comment]
Please land this sg:crit bug on aurora/beta asap so that we can bake this on beta for ~2 weeks.
Attachment #577837 - Flags: approval-mozilla-beta?
Attachment #577837 - Flags: approval-mozilla-beta+
Attachment #577837 - Flags: approval-mozilla-aurora?
Attachment #577837 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 10

5 years ago
Aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/12c96ed8154d
Beta: https://hg.mozilla.org/releases/mozilla-beta/rev/9f3a16bf8afc

Tracking for FF9 was confused - it is affected, and it was also approved for beta, so marking fixed.  Didn't touch tracking (JST?)
status-firefox10: affected → fixed
status-firefox11: affected → fixed
status-firefox9: wontfix → fixed
Whiteboard: [sg:critical] → [sg:critical][qa+]
Verified fixed with the following tinderbox debug builds:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111214 Firefox/11.0a1

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111214 Firefox/10.0a2

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111212 Firefox/9.0

Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111208 Firefox/9.0

I was not able to check on Windows because all the tinderbox debug builds seem to be broken and I can't start those.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Target Milestone: --- → mozilla11
status-firefox10: fixed → verified
status-firefox11: fixed → verified
status-firefox9: fixed → verified
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical][qa!] → [sg:critical][qa-]
Whiteboard: [sg:critical][qa-] → [sg:critical][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.