Closed Bug 1212223 Opened 9 years ago Closed 9 years ago

nsMultiMixedConv might call |SendData| with incorrect buffer length

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla44

Tracking Flags:

Tracking

Status

firefox44

---

fixed

People

(Reporter: hchang, Assigned: hchang)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug1212223.patch 9 years ago Henry Chang [:hchang] (deleted), patch	valentin : review+	Details \| Diff \| Splinter Review
Bug1212223.patch (r+'d, add reviewer) 9 years ago Henry Chang [:hchang] (deleted), patch		Details \| Diff \| Splinter Review

Henry Chang [:hchang]

Assignee

Description

•

9 years ago

When we hit [1] (the multipart content has preamble and the first token is probed), we only update the cursor to the first token without updating |bufLen|, which will be incorrectly used to compute the data length of |SendData| in [2] if the first chunk from network doesn't contain the entire subresource. (if the first chunk contains all of the first subresource it would be fine since the callback length is not derived from bufLen.) [1] http://hg.mozilla.org/mozilla-central/file/727d765a5ed8/netwerk/streamconv/converters/nsMultiMixedConv.cpp#l666 [2] http://hg.mozilla.org/mozilla-central/file/727d765a5ed8/netwerk/streamconv/converters/nsMultiMixedConv.cpp#l825

Henry Chang [:hchang]

Assignee

Comment 1

•

9 years ago

Attached patch Bug1212223.patch (obsolete) (deleted) — Details — Splinter Review

Henry Chang [:hchang]

Assignee

Updated

•

9 years ago

Assignee: nobody → hchang

Henry Chang [:hchang]

Assignee

Updated

•

9 years ago

Blocks: nsec-installing

Henry Chang [:hchang]

Assignee

Comment 2

•

9 years ago

Comment on attachment 8670635 [details] [diff] [review] Bug1212223.patch Hi Valentin, Could you please have a review of this patch? To prevent from any potential edge case, I add a couple of different chunks in the test case. Thanks!

Attachment #8670635 - Flags: review?(valentin.gosu)

Henry Chang [:hchang]

Assignee

Comment 3

•

9 years ago

https://treeherder.mozilla.org/#/jobs?repo=try&revision=ace93165cd9a

Valentin Gosu [:valentin] (he/him)

Comment 4

•

9 years ago

Comment on attachment 8670635 [details] [diff] [review] Bug1212223.patch Review of attachment 8670635 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Nice catch.

Attachment #8670635 - Flags: review?(valentin.gosu) → review+

Henry Chang [:hchang]

Assignee

Comment 5

•

9 years ago

Attached patch Bug1212223.patch (r+'d, add reviewer) (deleted) — Details — Splinter Review

Attachment #8670635 - Attachment is obsolete: true

Henry Chang [:hchang]

Assignee

Comment 6

•

9 years ago

Thank you Valentin :)

Henry Chang [:hchang]

Assignee

Updated

•

9 years ago

Keywords: checkin-needed

Pulsebot

Comment 7

•

9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/fe4a2767f51f

Keywords: checkin-needed

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 8

•

9 years ago

https://hg.mozilla.org/mozilla-central/rev/fe4a2767f51f

Status: NEW → RESOLVED

Closed: 9 years ago

status-firefox44: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla44

You need to log in before you can comment on or make changes to this bug.

Bugzilla

nsMultiMixedConv might call |SendData| with incorrect buffer length

Categories

(Core :: Networking, defect)

Tracking

()

People

(Reporter: hchang, Assigned: hchang)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file, 1 obsolete file)

Description

Comment 1

Updated

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Comment 8

Attachment

General

Description

File Name

Content Type