Closed Bug 785208 Opened 13 years ago Closed 13 years ago

nssutil_escapeQuotesSize returns the wrong size

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.14
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox-esr10 wontfix, firefox-esr17 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- wontfix
firefox-esr17 --- fixed

People

(Reporter: ted, Assigned: ted)

References

Details

(4 keywords)

Attachments

(2 files)

stack
16.88 KB, text/plain
Details
fix nssutil_escapeQuotesSize
908 bytes, patch
rrelyea
: review+
Details | Diff | Splinter Review
nssutil_escapeQuotesSize seems to be broken. Compare the new code: http://mxr.mozilla.org/security/source/security/nss/lib/util/utilpars.c#318 with the old code in secmod_doubleEscapeSize: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11pars.c#749 It's not returning a large enough buffer, which means that NSSUTIL_DoubleEscape winds up writing off the end of the buffer. I noticed this because I ran a debug build from alder (which has pulled in a pre-release 3.14 trunk snapshot of NSS) on Windows (where the CRT does heap checking).
This causes Firefox to crash on startup due to heap corruption when Ted ran it on a Windows (debug) build.
Group: core-security
Keywords: crash, regression
OS: Linux → All
Hardware: x86_64 → All
Kai, I think this bug has to be fixed before NSS 3.14 release and before NSS 3.14 can be integrated into mozilla-central, based on Ted's report that this causes Firefox to crash at startup. I am not sure if it is a security issue, but it is a buffer overflow so I marked it as a security bug just in case.
Bob, it seems like this is caused by the patch for bug 753116, which is assigned to you, and which is still open, so I'm going to defer to you on this.
Assignee: nobody → rrelyea
Attached file stack
Here's the stack from my startup crash, FWIW. It's a little confusing because the CRT tries to display a MessageBox to show the assertion text, but our event loop re-enters and then we deadlock, but you can see that the heap corruption is detected under the call to PORT_Free_Util from nss_InitModules.
This patch (against the alder branch's mercurial repository) fixes the issue for me. It simply makes nssutil_escapeQuotesSize return the same length as secmod_escapeSize.
Attachment #656019 - Flags: review?(rrelyea)
Target Milestone: --- → 3.14
Comment on attachment 656019 [details] [diff] [review] fix nssutil_escapeQuotesSize r+ the patch is both right and necessary. bob
Attachment #656019 - Flags: review?(rrelyea) → review+
Checking in utilpars.c; /cvsroot/mozilla/security/nss/lib/util/utilpars.c,v <-- utilpars.c new revision: 1.2; previous revision: 1.1 done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
FWIW, I think we could open this up because this never shipped in any release version of NSS or Firefox, AFAIK.
Assignee: rrelyea → ted
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: