Closed
Bug 798065
Opened 11 years ago
Closed 11 years ago
integer underflow in nsTArray::LastIndexOf with empty array
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: wchen, Assigned: wchen)
Details
Attachments
(1 file, 1 obsolete file)
|
1.47 KB,
patch
|
cjones
:
review+
|
Details | Diff | Splinter Review |
The offending line of code is start = Length() - 1; both start and Length() are uint32_t. When we have an empty array Length() = 0 and Length() - 1 results in UINT32_MAX that causes an invalid memory read. Fortunately I only found usage of LastIndexOf in test cases.
|
Assignee | |
Comment 1•11 years ago
|
||
Attachment #668206 -
Flags: review?(jones.chris.g)
|
||
Updated•11 years ago
|
Attachment #668206 -
Flags: review?(jones.chris.g) → review+
|
|
Assignee | |
Comment 2•11 years ago
|
||
No code changes. Added r=cjones to patch description.
Attachment #668206 -
Attachment is obsolete: true
Attachment #668526 -
Flags: review?(jones.chris.g)
Comment on attachment 668526 [details] [diff] [review] Bug 798065 - Fix integer underflow in nsTArray::LastIndexOf. You don't need to request re-review for that.
Attachment #668526 -
Flags: review?(jones.chris.g) → review+
|
|
Assignee | |
Updated•11 years ago
|
Keywords: checkin-needed
|
||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0 Should this have a test?
Flags: in-testsuite?
Keywords: checkin-needed
|
|
Assignee | |
Comment 5•11 years ago
|
||
(In reply to Ryan VanderMeulen from comment #4) > https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0 > > Should this have a test? There is a compiled code test included in the patch.
|
||
Comment 6•11 years ago
|
||
(In reply to William Chen from comment #0) > start = Length() - 1; So if the code had been written iter = end + (start + 1) then it would have been correct?
|
|
||
Updated•11 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to neil@parkwaycc.co.uk from comment #6) > (In reply to William Chen from comment #0) > > start = Length() - 1; > So if the code had been written iter = end + (start + 1) then it would have > been correct? Yes
|
||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8c53914f34b0
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in
before you can comment on or make changes to this bug.
Description
•