Closed Bug 871462 Opened 7 years ago Closed 7 years ago

Clean up String API usages for dom/system/gonk

Categories

(Core :: DOM: Device Interfaces, defect)

All
Gonk (Firefox OS)
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox22 --- wontfix
firefox23 --- wontfix
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 + fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- affected
b2g-v1.1hd --- fixed

People

(Reporter: m_kato, Assigned: m_kato)

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main24+])

Attachments

(2 files)

Attached patch fixSplinter Review
No description provided.
Attachment #748718 - Flags: review?(doug.turner)
address value in AudioManager::Observe has use after free.  This is possible crash code.
free after use is Security-Sensitive.
Group: core-security
other way around, of course.
Comment on attachment 748718 [details] [diff] [review]
fix

Review of attachment 748718 [details] [diff] [review]:
-----------------------------------------------------------------

I *hate* our string classes.

::: dom/system/gonk/nsVolumeService.cpp
@@ -192,5 @@
>  
>  NS_IMETHODIMP
>  nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult)
>  {
> -  nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath);

Don't we have this pattern everywhere?
String API is complex...

(In reply to Doug Turner (:dougt) from comment #4)
> Comment on attachment 748718 [details] [diff] [review]
> fix
> 
> Review of attachment 748718 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> I *hate* our string classes.
> 
> ::: dom/system/gonk/nsVolumeService.cpp
> @@ -192,5 @@
> >  
> >  NS_IMETHODIMP
> >  nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult)
> >  {
> > -  nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath);
> 
> Don't we have this pattern everywhere?

Years ago, although I clean up many code for this case, but I don't know now.

This pattern means,

NS_ConvertUTF18toUTF8 str(aPath);
nsCString utf8Path(str);
str.~str();

So This allocate unnecessary string object.  It is wasteful.
Attachment #748718 - Flags: review?(doug.turner) → review?(dbaron)
Comment on attachment 748718 [details] [diff] [review]
fix

r=dbaron

At least only the first one looks like it's fixing a crash.
Attachment #748718 - Flags: review?(dbaron) → review+
Attached patch for b2g18Splinter Review
Comment on attachment 757756 [details] [diff] [review]
for b2g18

NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 794903 and Bug 796300
User impact if declined: possible crash due to use-after-free bug
Testing completed: landed in m-i
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: no
Attachment #757756 - Flags: approval-mozilla-b2g18?
https://hg.mozilla.org/mozilla-central/rev/92ba04c3ee67
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Attachment #757756 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Whiteboard: [adv-main24+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.