Closed
Bug 706249
Opened 13 years ago
Closed 13 years ago
"ASSERTION: We've overflowed the mSpec buffer" in nsStandardURL::BuildNormalizedSpec
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
VERIFIED
FIXED
mozilla11
People
(Reporter: jruderman, Assigned: jesup)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa!])
Attachments
(3 files)
|
24 bytes,
text/html
|
Details | |
|
2.53 KB,
text/plain
|
Details | |
|
4.84 KB,
patch
|
bzbarsky
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: We've overflowed the mSpec buffer!: 'mSpec.Length() <= approxLen', file netwerk/base/src/nsStandardURL.cpp, line 697
The last major change to this function was in bug 125608.
|
Reporter | |
Comment 1•13 years ago
|
||
|
Assignee | |
Comment 2•13 years ago
|
||
Caused by the null password entry. Could fix by omitting it if empty, but that would be a change in behavior and it's not clear if that would even be correct (i.e. a null password is a password), so enforce adding one byte for a password (for the ':') even if the field is empty. Patch follows.
Assignee: nobody → rjesup
|
|
Assignee | |
Updated•13 years ago
|
OS: Mac OS X → All
Hardware: x86_64 → All
|
|
Assignee | |
Comment 3•13 years ago
|
||
Tested; asserts without code fix, no assert with it
|
|
Assignee | |
Updated•13 years ago
|
Attachment #577837 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•13 years ago
|
||
Worst-case analysis of this bug is it writes a '\0' to the byte following the allocation in some (not all) cases where the password is given but empty.
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [sg:critical]
|
||
Updated•13 years ago
|
blocking1.9.2: --- → ?
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
status-firefox9:
--- → wontfix
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
|
||
Updated•13 years ago
|
status1.9.2:
--- → wanted
|
||
Comment 5•13 years ago
|
||
Comment on attachment 577837 [details] [diff] [review]
Patch with tests
r=me
Attachment #577837 -
Flags: review?(bzbarsky) → review+
|
|
||
Updated•13 years ago
|
blocking1.9.2: ? → .25+
|
|
Assignee | |
Comment 6•13 years ago
|
||
inbound via https://hg.mozilla.org/integration/mozilla-inbound/rev/8304db7e46bb
The original bug never existed in 1.9.x -> unaffected
Once it's green and merged to m-c I'll ask for approvals for Aurora and Beta
blocking1.9.2: .25+ → ---
Whiteboard: [sg:critical] → [sg:critical][inbound]
|
|
Assignee | |
Comment 7•13 years ago
|
||
Merged to m-c
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][inbound] → [sg:critical]
|
|
Assignee | |
Comment 8•13 years ago
|
||
Comment on attachment 577837 [details] [diff] [review]
Patch with tests
Now in m-c; we should get it into aurora and beta soon
Attachment #577837 -
Flags: approval-mozilla-beta?
Attachment #577837 -
Flags: approval-mozilla-aurora?
|
||
Comment 9•13 years ago
|
||
Comment on attachment 577837 [details] [diff] [review]
Patch with tests
[Triage Comment]
Please land this sg:crit bug on aurora/beta asap so that we can bake this on beta for ~2 weeks.
Attachment #577837 -
Flags: approval-mozilla-beta?
Attachment #577837 -
Flags: approval-mozilla-beta+
Attachment #577837 -
Flags: approval-mozilla-aurora?
Attachment #577837 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 10•13 years ago
|
||
Aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/12c96ed8154d
Beta: https://hg.mozilla.org/releases/mozilla-beta/rev/9f3a16bf8afc
Tracking for FF9 was confused - it is affected, and it was also approved for beta, so marking fixed. Didn't touch tracking (JST?)
|
||
Comment 11•13 years ago
|
||
Verified fixed with the following tinderbox debug builds:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111214 Firefox/11.0a1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111214 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111212 Firefox/9.0
Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111208 Firefox/9.0
I was not able to check on Windows because all the tinderbox debug builds seem to be broken and I can't start those.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
Keywords: verified-aurora,
verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Target Milestone: --- → mozilla11
|
|
||
Updated•13 years ago
|
Keywords: verified-aurora,
verified-beta
Whiteboard: [sg:critical][qa!] → [sg:critical][qa-]
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical][qa-] → [sg:critical][qa!]
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•