Closed Bug 843434 Opened 10 years ago Closed 10 years ago

Assertion failure in nsUnicharStreamLoader::WriteSegmentFun with ISO-2022-JP

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox20 - affected
firefox21 + fixed
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: jaas)

References

Details

(4 keywords, Whiteboard: [adv-main21+])

Attachments

(4 files, 2 obsolete files)

testcase
67 bytes, text/html
Details
stack
4.90 KB, text/plain
Details
testcase 2: <script>
62 bytes, text/html
Details
fix v1.1 w/test
2.96 KB, patch
emk
: review+
bajaj
: approval-mozilla-beta+
lsblakk
: approval-mozilla-release-
Details | Diff | Splinter Review
Attached file testcase 
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(rv)), 1))), at netwerk/base/src/nsUnicharStreamLoader.cpp:218

  213	  DebugOnly<nsresult> rv =
  214	    self->mDecoder->Convert(aSegment,
  215	                            &srcLen,
  216	                            self->mBuffer.BeginWriting() + haveRead,
  217	                            &dstLen);
* 218	  MOZ_ASSERT(NS_SUCCEEDED(rv));
  219	  MOZ_ASSERT(srcLen == static_cast<int32_t>(aCount));
  220	  haveRead += dstLen;
  221
  222	  self->mBuffer.SetLength(haveRead);
Attached file stack 

    
    

    
  
ISO-2022-JP decoder should honor the mErrBehavior...

    
    

    
  
is dstLen initialized to something or did line 220-222 just incorporate a random amount of junk into the string?
Keywords: sec-moderate

    
  
Assignee: nobody → sworkman

    
    

    
  
dstLen is initialized by GetMaxLength in line 206.

    
    

    
  

      
      
      
      

        Attached file
          
        testcase 2: <script>
      

    


  
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(rv)), 1))), at ../../../../content/base/src/nsScriptLoader.cpp:1070

    
    

    
  
(In reply to Masatoshi Kimura [:emk] from comment #2)
> ISO-2022-JP decoder should honor the mErrBehavior...

Can you explain this further?

The error code causing the assertion comes from nsISO2022JPToUnicodeV2::Convert:

================
       switch(mState)
       {
          case mState_ASCII:
            if(0x1b == *src)
            {
              mLastLegalState = mState;
              mState = mState_ESC;
            } else if(*src & 0x80) {
ERROR->       goto error2;
            } else {
              if (CHECK_OVERRUN(dest, destEnd, 1))
                goto error1;
              *dest++ = (PRUnichar) *src;
            }
          break;
================

The state is mState_ASCII, and "if(*src & 0x80)" is true.

    
    

    
  
(In reply to Josh Aas (Mozilla Corporation) from comment #6)
> (In reply to Masatoshi Kimura [:emk] from comment #2)
> > ISO-2022-JP decoder should honor the mErrBehavior...
> 
> Can you explain this further?

1. If mErrBehavior is not kOnError_Signal (default), the ISO-2022-JP decoder should replace the offending char with a REPLACEMENT CHARACTER (U+FFFD) rather than throwing NS_ERROR_UNEXPECTED.
2. Even if mErrBehavior is kOnError_Signal, the thrown error should be NS_ERROR_ILLEGAL_INPUT.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1.0 (obsolete)
        — Splinter Review
      

    


  
Thanks for the info.

This avoids the assertion in the first test case, and gives what I'd expect for an error in the script case. I don't really know what this code is supposed to be doing though, so please review carefully!

        Attachment #722639 -
        Flags: review?(VYV03354)

    
    

    
  
Comment on attachment 722639 [details] [diff] [review]
fix v1.0

You need to call CHECK_OVERRUN every time you write to dest.

        Attachment #722639 -
        Flags: review?(VYV03354) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1.1 (obsolete)
        — Splinter Review
      

    


  
Like so?

        Attachment #722639 -
        Attachment is obsolete: true

        Attachment #722911 -
        Flags: review?(VYV03354)

    
    

    
  
I will also write a test for this.

    
  
Assignee: sworkman → joshmoz

        Attachment #722911 -
        Flags: review?(VYV03354) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1.1 w/testSplinter Review
      

    


  
This test works, but there may be a better test. The test here fails if the assertion is triggered.

        Attachment #722911 -
        Attachment is obsolete: true

        Attachment #723468 -
        Flags: review?(VYV03354)

        Attachment #723468 -
        Flags: review?(VYV03354) → review+

    
  

        Attachment #723468 -
        Flags: review?(smontagu)

    
    

    
  
Comment on attachment 723468 [details] [diff] [review]
fix v1.1 w/test

Canceling second review, turns out emk is a peer. Had smontagu update the module owernship wiki.

        Attachment #723468 -
        Flags: review?(smontagu)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8d7a31fbb879
Status: NEW → RESOLVED
Closed: 10 years ago

          status-firefox22:
          --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22

    
    

    
  
I found another testcase that still trips the assertion.  Filed bug 851982.

    
    

    
  
Comment on attachment 723468 [details] [diff] [review]
fix v1.1 w/test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 638379
User impact if declined: Some Japanese production sites are broken (see bug 858433).
Testing completed (on m-c, etc.): on m-c and aurora
Risk to taking this patch (and alternatives if risky): very low
String or IDL/UUID changes made by this patch: none

        Attachment #723468 -
        Flags: approval-mozilla-release?

        Attachment #723468 -
        Flags: approval-mozilla-beta?
Blocks: 858433

    
    

    
  
Approving on beta, as this is a recent regression from Bug 638379, which has impacted a few Japanese websites .The patch fixes the broken websites and is low risk,well baked on m-c and aurora.

Please land asap for this to make it into our next beta going to build tomorrow morning PT .

        Attachment #723468 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Since this is sec-moderate, and we don't have indications that a large number of sites are affected, we'll ship this fix in FF21.

          tracking-firefox20:
          ?-

        Attachment #723468 -
        Flags: approval-mozilla-release? → approval-mozilla-release-
Whiteboard: [adv-main21+]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.