Closed
Bug 871462
Opened 7 years ago
Closed 7 years ago
Clean up String API usages for dom/system/gonk
Categories
(Core :: DOM: Device Interfaces, defect)
Not set
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: m_kato, Assigned: m_kato)
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main24+])
Attachments
(2 files)
|
4.98 KB,
patch
|
dbaron
:
review+
|
Details | Diff | Splinter Review |
|
5.82 KB,
patch
|
akeybl
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
No description provided.
|
Assignee | |
Updated•7 years ago
|
Attachment #748718 -
Flags: review?(doug.turner)
|
|
Assignee | |
Comment 1•7 years ago
|
||
address value in AudioManager::Observe has use after free. This is possible crash code.
|
||
Comment 3•7 years ago
|
||
other way around, of course.
|
|
||
Comment 4•7 years ago
|
||
Comment on attachment 748718 [details] [diff] [review] fix Review of attachment 748718 [details] [diff] [review]: ----------------------------------------------------------------- I *hate* our string classes. ::: dom/system/gonk/nsVolumeService.cpp @@ -192,5 @@ > > NS_IMETHODIMP > nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult) > { > - nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath); Don't we have this pattern everywhere?
|
|
Assignee | |
Comment 5•7 years ago
|
||
String API is complex... (In reply to Doug Turner (:dougt) from comment #4) > Comment on attachment 748718 [details] [diff] [review] > fix > > Review of attachment 748718 [details] [diff] [review]: > ----------------------------------------------------------------- > > I *hate* our string classes. > > ::: dom/system/gonk/nsVolumeService.cpp > @@ -192,5 @@ > > > > NS_IMETHODIMP > > nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult) > > { > > - nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath); > > Don't we have this pattern everywhere? Years ago, although I clean up many code for this case, but I don't know now. This pattern means, NS_ConvertUTF18toUTF8 str(aPath); nsCString utf8Path(str); str.~str(); So This allocate unnecessary string object. It is wasteful.
|
|
||
Updated•7 years ago
|
Attachment #748718 -
Flags: review?(doug.turner) → review?(dbaron)
|
||
Comment 6•7 years ago
|
||
Comment on attachment 748718 [details] [diff] [review] fix r=dbaron At least only the first one looks like it's fixing a crash.
Attachment #748718 -
Flags: review?(dbaron) → review+
|
||
Updated•7 years ago
|
Keywords: csec-uaf,
sec-critical
|
|
||
Updated•7 years ago
|
status-b2g18:
--- → affected
status-firefox22:
--- → wontfix
status-firefox23:
--- → wontfix
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-b2g18:
--- → ?
tracking-firefox24:
--- → ?
|
|
Assignee | |
Comment 7•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/92ba04c3ee67
Target Milestone: --- → mozilla24
|
|
Assignee | |
Comment 8•7 years ago
|
||
|
|
Assignee | |
Comment 9•7 years ago
|
||
Comment on attachment 757756 [details] [diff] [review] for b2g18 NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 794903 and Bug 796300 User impact if declined: possible crash due to use-after-free bug Testing completed: landed in m-i Risk to taking this patch (and alternatives if risky): low String or UUID changes made by this patch: no
Attachment #757756 -
Flags: approval-mozilla-b2g18?
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Attachment #757756 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
||
Comment 11•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/0539d7c8c001
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → affected
status-b2g-v1.1hd:
--- → affected
|
||
Updated•6 years ago
|
Whiteboard: [adv-main24+]
|
||
Updated•5 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•