Closed Bug 706249 Opened 8 years ago Closed 8 years ago
"ASSERTION: We've overflowed the m
Spec buffer" in ns Standard URL::Build Normalized Spec
###!!! ASSERTION: We've overflowed the mSpec buffer!: 'mSpec.Length() <= approxLen', file netwerk/base/src/nsStandardURL.cpp, line 697 The last major change to this function was in bug 125608.
Caused by the null password entry. Could fix by omitting it if empty, but that would be a change in behavior and it's not clear if that would even be correct (i.e. a null password is a password), so enforce adding one byte for a password (for the ':') even if the field is empty. Patch follows.
Assignee: nobody → rjesup
OS: Mac OS X → All
Hardware: x86_64 → All
Tested; asserts without code fix, no assert with it
Attachment #577837 - Flags: review?(bzbarsky)
Worst-case analysis of this bug is it writes a '\0' to the byte following the allocation in some (not all) cases where the password is given but empty.
Comment on attachment 577837 [details] [diff] [review] Patch with tests r=me
Attachment #577837 - Flags: review?(bzbarsky) → review+
inbound via https://hg.mozilla.org/integration/mozilla-inbound/rev/8304db7e46bb The original bug never existed in 1.9.x -> unaffected Once it's green and merged to m-c I'll ask for approvals for Aurora and Beta
Merged to m-c
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][inbound] → [sg:critical]
Comment on attachment 577837 [details] [diff] [review] Patch with tests Now in m-c; we should get it into aurora and beta soon
Comment on attachment 577837 [details] [diff] [review] Patch with tests [Triage Comment] Please land this sg:crit bug on aurora/beta asap so that we can bake this on beta for ~2 weeks.
Aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/12c96ed8154d Beta: https://hg.mozilla.org/releases/mozilla-beta/rev/9f3a16bf8afc Tracking for FF9 was confused - it is affected, and it was also approved for beta, so marking fixed. Didn't touch tracking (JST?)
Verified fixed with the following tinderbox debug builds: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111214 Firefox/11.0a1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111214 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111212 Firefox/9.0 Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111208 Firefox/9.0 I was not able to check on Windows because all the tinderbox debug builds seem to be broken and I can't start those.
Whiteboard: [sg:critical][qa-] → [sg:critical][qa!]
You need to log in before you can comment on or make changes to this bug.