Closed Bug 798065 Opened 12 years ago Closed 12 years ago

integer underflow in nsTArray::LastIndexOf with empty array

Categories

(Core :: XPCOM, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla18

People

(Reporter: wchen, Assigned: wchen)

Details

Attachments

(1 file, 1 obsolete file)

The offending line of code is start = Length() - 1; both start and Length() are uint32_t. When we have an empty array Length() = 0 and Length() - 1 results in UINT32_MAX that causes an invalid memory read. Fortunately I only found usage of LastIndexOf in test cases.
Attachment #668206 - Flags: review?(jones.chris.g)
Attachment #668206 - Flags: review?(jones.chris.g) → review+
No code changes. Added r=cjones to patch description.
Attachment #668206 - Attachment is obsolete: true
Attachment #668526 - Flags: review?(jones.chris.g)
Comment on attachment 668526 [details] [diff] [review] Bug 798065 - Fix integer underflow in nsTArray::LastIndexOf. You don't need to request re-review for that.
Attachment #668526 - Flags: review?(jones.chris.g) → review+
Keywords: checkin-needed
(In reply to Ryan VanderMeulen from comment #4) > https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0 > > Should this have a test? There is a compiled code test included in the patch.
(In reply to William Chen from comment #0) > start = Length() - 1; So if the code had been written iter = end + (start + 1) then it would have been correct?
Flags: in-testsuite? → in-testsuite+
(In reply to neil@parkwaycc.co.uk from comment #6) > (In reply to William Chen from comment #0) > > start = Length() - 1; > So if the code had been written iter = end + (start + 1) then it would have > been correct? Yes
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: