Closed Bug 798065 Opened 7 years ago Closed 7 years ago

integer underflow in nsTArray::LastIndexOf with empty array

Categories

(Core :: XPCOM, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla18

People

(Reporter: wchen, Assigned: wchen)

Details

Attachments

(1 file, 1 obsolete file)

The offending line of code is

start = Length() - 1;

both start and Length() are uint32_t. When we have an empty array Length() = 0 and Length() - 1 results in UINT32_MAX that causes an invalid memory read.

Fortunately I only found usage of LastIndexOf in test cases.
Attachment #668206 - Flags: review?(jones.chris.g)
Attachment #668206 - Flags: review?(jones.chris.g) → review+
No code changes. Added r=cjones to patch description.
Attachment #668206 - Attachment is obsolete: true
Attachment #668526 - Flags: review?(jones.chris.g)
Comment on attachment 668526 [details] [diff] [review]
Bug 798065 - Fix integer underflow in nsTArray::LastIndexOf.

You don't need to request re-review for that.
Attachment #668526 - Flags: review?(jones.chris.g) → review+
Keywords: checkin-needed
(In reply to Ryan VanderMeulen from comment #4)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0
> 
> Should this have a test?

There is a compiled code test included in the patch.
(In reply to William Chen from comment #0)
> start = Length() - 1;
So if the code had been written iter = end + (start + 1) then it would have been correct?
Flags: in-testsuite? → in-testsuite+
(In reply to neil@parkwaycc.co.uk from comment #6)
> (In reply to William Chen from comment #0)
> > start = Length() - 1;
> So if the code had been written iter = end + (start + 1) then it would have
> been correct?

Yes
https://hg.mozilla.org/mozilla-central/rev/8c53914f34b0
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.