Closed Bug 95517 Opened 24 years ago Closed 24 years ago

encodeURI[Component] memory corruption

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: epstein, Assigned: khanson)

Details

(Keywords: js1.5)

Attachments

(4 files)

patch
541 bytes, patch
Details | Diff | Splinter Review
patch Decode() too
828 bytes, patch
Details | Diff | Splinter Review
This is embarrassing. Ignore previous patches.
837 bytes, patch
Details | Diff | Splinter Review
proposed fix, check for JS_realloc success before updating R->chars
1.33 KB, patch
Details | Diff | Splinter Review
Encode(), called by encodeURI() and encodeURIComponent(), assumes that a shrinking realloc always returns the same buffer. On Solaris, that is not true for realloc of buffers smaller than 32 bytes, so encodeURI() of a string under 16 (double-byte) characters results in a JSString whose "chars" don't belong to it, leading to possibly corrupt results. I will attach the trivial patch shortly.
Attached patch patchSplinter Review
Decode() has the same problem. New patch coming.
Formally confirming; reassigning to khanson; cc'ing Brendan -
Assignee: rogerl → khanson
Status: UNCONFIRMED → NEW
Ever confirmed: true
Shrinking reallocs are allowed to move, indeed. r/sr=brendan@mozilla.org on Mike's last patch (although prevailing style puts a space after the cast, and in the cast before the * -- (jschar *) JS_realloc(...) -- style nit of the day). /be
Let's get this in ASAP for 0.9.4, no reason to miss that boat. /be
Keywords: js1.5, mozilla0.9.4
Just need an r=, I'll do the checkin. Sorry for the spam! /be
Looking for another sr=, as well as r=. /be
r/sr=jband
Fix checked in. /be
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking Verified -
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: