Closed Bug 770534 Opened 9 years ago Closed 8 years ago

possible pointer overflow in PL_ArenaAllocate()


(NSPR :: NSPR, defect, P2)



(firefox25 fixed, firefox26+ fixed, firefox27+ fixed, firefox28+ fixed, firefox-esr1725+ fixed, firefox-esr2425+ fixed, b2g18? affected, b2g-v1.1hd affected, b2g-v1.2 affected)

Tracking Status
firefox25 --- fixed
firefox26 + fixed
firefox27 + fixed
firefox28 + fixed
firefox-esr17 25+ fixed
firefox-esr24 25+ fixed
b2g18 ? affected
b2g-v1.1hd --- affected
b2g-v1.2 --- affected


(Reporter: kdudka, Assigned: kdudka)



(Whiteboard: [qa-])


(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120601 Firefox/10.0.5
Build ID: 20120601031547

Steps to reproduce:

As pointed out by Pascal Cuoq [1,2], the expressions ( a->avail +nb <= a->limit ) and ( a->base +nb <= a->limit ) used in PL_ArenaAllocate() can cause a pointer overflow and consequently undefined behavior. A similar issue was discussed in [3].  I am attaching a patch for the issue suggested by Pascal.

Attachment #638730 - Flags: review?(wtc)
Comment on attachment 638730 [details] [diff] [review]


Thank you very much for the patch and the reminder for code review.

I recently rediscovered this issue and wrote a patch in bug 927687.

Patch checked in:
Attachment #638730 - Flags: review?(wtc)
Attachment #638730 - Flags: review+
Attachment #638730 - Flags: checked-in+
Assignee: wtc → kdudka
Closed: 8 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 4.10.2
Thanks for review and getting the patch upstream!
Do we need a separate bug here for updating NSPR in m-c, aurora, and beta?
Flags: needinfo?(kdudka)
If there is no risk of confusion, we can just use this bug for
updating NSPR in m-c, aurora, and beta.
Flags: needinfo?(kdudka)
I think there is potentially risk of confusion. Let's use bug 935568 for tracking the respective NSPR update.
I think bug 935568 has fixed this by updating NSPR - is that correct? Anything else need doing here?
Flags: needinfo?(kdudka)
I do not know much about the relation with other components, switching the needinfo to Kai...
Flags: needinfo?(kdudka) → needinfo?(kaie)
(In reply to [:lsblakk] from comment #6)
> I think bug 935568 has fixed this by updating NSPR - is that correct?
> Anything else need doing here?

Correct, we're done, nothing else needed.
Flags: needinfo?(kaie)
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.