Closed Bug 706249 Opened 8 years ago Closed 8 years ago

"ASSERTION: We've overflowed the mSpec buffer" in nsStandardURL::BuildNormalizedSpec


(Core :: Networking, defect)

Not set



Tracking Status
firefox8 - wontfix
firefox9 - verified
firefox10 + verified
firefox11 + verified
status1.9.2 --- unaffected


(Reporter: jruderman, Assigned: jesup)


(Blocks 1 open bug)


(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa!])


(3 files)

Attached file testcase
###!!! ASSERTION: We've overflowed the mSpec buffer!: 'mSpec.Length() <= approxLen', file netwerk/base/src/nsStandardURL.cpp, line 697

The last major change to this function was in bug 125608.
Attached file stack trace
Caused by the null password entry.  Could fix by omitting it if empty, but that would be a change in behavior and it's not clear if that would even be correct (i.e. a null password is a password), so enforce adding one byte for a password (for the ':') even if the field is empty.  Patch follows.
Assignee: nobody → rjesup
OS: Mac OS X → All
Hardware: x86_64 → All
Attached patch Patch with testsSplinter Review
Tested; asserts without code fix, no assert with it
Attachment #577837 - Flags: review?(bzbarsky)
Worst-case analysis of this bug is it writes a '\0' to the byte following the allocation in some (not all) cases where the password is given but empty.
Whiteboard: [sg:critical]
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

Attachment #577837 - Flags: review?(bzbarsky) → review+
blocking1.9.2: ? → .25+
inbound via

The original bug never existed in 1.9.x -> unaffected

Once it's green and merged to m-c I'll ask for approvals for Aurora and Beta
blocking1.9.2: .25+ → ---
Whiteboard: [sg:critical] → [sg:critical][inbound]
Merged to m-c
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][inbound] → [sg:critical]
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

Now in m-c; we should get it into aurora and beta soon
Attachment #577837 - Flags: approval-mozilla-beta?
Attachment #577837 - Flags: approval-mozilla-aurora?
Comment on attachment 577837 [details] [diff] [review]
Patch with tests

[Triage Comment]
Please land this sg:crit bug on aurora/beta asap so that we can bake this on beta for ~2 weeks.
Attachment #577837 - Flags: approval-mozilla-beta?
Attachment #577837 - Flags: approval-mozilla-beta+
Attachment #577837 - Flags: approval-mozilla-aurora?
Attachment #577837 - Flags: approval-mozilla-aurora+

Tracking for FF9 was confused - it is affected, and it was also approved for beta, so marking fixed.  Didn't touch tracking (JST?)
Whiteboard: [sg:critical] → [sg:critical][qa+]
Verified fixed with the following tinderbox debug builds:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111214 Firefox/11.0a1

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a2) Gecko/20111214 Firefox/10.0a2

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111212 Firefox/9.0

Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111208 Firefox/9.0

I was not able to check on Windows because all the tinderbox debug builds seem to be broken and I can't start those.
Flags: in-testsuite+
Flags: in-litmus-
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Target Milestone: --- → mozilla11
Whiteboard: [sg:critical][qa-] → [sg:critical][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.