Closed Bug 770534 Opened 8 years ago Closed 6 years ago
possible pointer overflow in PL
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120601 Firefox/10.0.5 Build ID: 20120601031547 Steps to reproduce: As pointed out by Pascal Cuoq [1,2], the expressions ( a->avail +nb <= a->limit ) and ( a->base +nb <= a->limit ) used in PL_ArenaAllocate() can cause a pointer overflow and consequently undefined behavior. A similar issue was discussed in . I am attaching a patch for the issue suggested by Pascal.  https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/_cDRv8o7JgsJ  https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/31TTjs1MYeQJ  http://lwn.net/Articles/278137/
Comment on attachment 638730 [details] [diff] [review] 0001-plarena-eliminate-possible-pointer-overflow.patch r=wtc. Thank you very much for the patch and the reminder for code review. I recently rediscovered this issue and wrote a patch in bug 927687. Sigh. Patch checked in: https://hg.mozilla.org/projects/nspr/rev/9b26e99c21c3
Assignee: wtc → kdudka
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 4.10.2
Thanks for review and getting the patch upstream!
Do we need a separate bug here for updating NSPR in m-c, aurora, and beta?
If there is no risk of confusion, we can just use this bug for updating NSPR in m-c, aurora, and beta.
I think there is potentially risk of confusion. Let's use bug 935568 for tracking the respective NSPR update.
I think bug 935568 has fixed this by updating NSPR - is that correct? Anything else need doing here?
I do not know much about the relation with other components, switching the needinfo to Kai...
Flags: needinfo?(kdudka) → needinfo?(kaie)
(In reply to email@example.com [:lsblakk] from comment #6) > I think bug 935568 has fixed this by updating NSPR - is that correct? > Anything else need doing here? Correct, we're done, nothing else needed.
Marking statuses up to 25 since this shipped in 25.0.1 (and ESR 24.1.1/17.0.11)
You need to log in before you can comment on or make changes to this bug.