Closed Bug 798065 Opened 10 years ago Closed 10 years ago
integer underflow in ns
TArray::Last Index Of with empty array
The offending line of code is start = Length() - 1; both start and Length() are uint32_t. When we have an empty array Length() = 0 and Length() - 1 results in UINT32_MAX that causes an invalid memory read. Fortunately I only found usage of LastIndexOf in test cases.
10 years ago
Attachment #668206 - Flags: review?(jones.chris.g) → review+
No code changes. Added r=cjones to patch description.
Comment on attachment 668526 [details] [diff] [review] Bug 798065 - Fix integer underflow in nsTArray::LastIndexOf. You don't need to request re-review for that.
Attachment #668526 - Flags: review?(jones.chris.g) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0 Should this have a test?
(In reply to Ryan VanderMeulen from comment #4) > https://hg.mozilla.org/integration/mozilla-inbound/rev/8c53914f34b0 > > Should this have a test? There is a compiled code test included in the patch.
(In reply to William Chen from comment #0) > start = Length() - 1; So if the code had been written iter = end + (start + 1) then it would have been correct?
(In reply to email@example.com from comment #6) > (In reply to William Chen from comment #0) > > start = Length() - 1; > So if the code had been written iter = end + (start + 1) then it would have > been correct? Yes
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.