Closed
Bug 871462
Opened 12 years ago
Closed 12 years ago
Clean up String API usages for dom/system/gonk
Categories
(Core :: DOM: Device Interfaces, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: m_kato, Assigned: m_kato)
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main24+])
Attachments
(2 files)
4.98 KB,
patch
|
dbaron
:
review+
|
Details | Diff | Splinter Review |
5.82 KB,
patch
|
akeybl
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•12 years ago
|
Attachment #748718 -
Flags: review?(doug.turner)
Assignee | ||
Comment 1•12 years ago
|
||
address value in AudioManager::Observe has use after free. This is possible crash code.
Comment 3•12 years ago
|
||
other way around, of course.
Comment 4•12 years ago
|
||
Comment on attachment 748718 [details] [diff] [review]
fix
Review of attachment 748718 [details] [diff] [review]:
-----------------------------------------------------------------
I *hate* our string classes.
::: dom/system/gonk/nsVolumeService.cpp
@@ -192,5 @@
>
> NS_IMETHODIMP
> nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult)
> {
> - nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath);
Don't we have this pattern everywhere?
Assignee | ||
Comment 5•12 years ago
|
||
String API is complex...
(In reply to Doug Turner (:dougt) from comment #4)
> Comment on attachment 748718 [details] [diff] [review]
> fix
>
> Review of attachment 748718 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> I *hate* our string classes.
>
> ::: dom/system/gonk/nsVolumeService.cpp
> @@ -192,5 @@
> >
> > NS_IMETHODIMP
> > nsVolumeService::GetVolumeByPath(const nsAString& aPath, nsIVolume **aResult)
> > {
> > - nsCString utf8Path = NS_ConvertUTF16toUTF8(aPath);
>
> Don't we have this pattern everywhere?
Years ago, although I clean up many code for this case, but I don't know now.
This pattern means,
NS_ConvertUTF18toUTF8 str(aPath);
nsCString utf8Path(str);
str.~str();
So This allocate unnecessary string object. It is wasteful.
Updated•12 years ago
|
Attachment #748718 -
Flags: review?(doug.turner) → review?(dbaron)
Comment on attachment 748718 [details] [diff] [review]
fix
r=dbaron
At least only the first one looks like it's fixing a crash.
Attachment #748718 -
Flags: review?(dbaron) → review+
Updated•12 years ago
|
Keywords: csec-uaf,
sec-critical
Updated•12 years ago
|
status-b2g18:
--- → affected
status-firefox22:
--- → wontfix
status-firefox23:
--- → wontfix
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-b2g18:
--- → ?
tracking-firefox24:
--- → ?
Assignee | ||
Comment 7•12 years ago
|
||
Target Milestone: --- → mozilla24
Assignee | ||
Comment 8•12 years ago
|
||
Assignee | ||
Comment 9•12 years ago
|
||
Comment on attachment 757756 [details] [diff] [review]
for b2g18
NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 794903 and Bug 796300
User impact if declined: possible crash due to use-after-free bug
Testing completed: landed in m-i
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: no
Attachment #757756 -
Flags: approval-mozilla-b2g18?
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #757756 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Comment 11•12 years ago
|
||
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → affected
status-b2g-v1.1hd:
--- → affected
Comment 12•12 years ago
|
||
Updated•11 years ago
|
Whiteboard: [adv-main24+]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•