Closed Bug 246450 Opened 20 years ago Closed 20 years ago

Guard against buffer overruns in nsScanner::Append

Tracking

()

Status:

RESOLVED DUPLICATE of bug 244177

People

(Reporter: smontagu, Assigned: smontagu)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 244177])

Simon Montagu :smontagu

Assignee

Description

•

20 years ago

Spin off from bug 246194.

The allocated length of the destination buffer in nsScanner::Append is
calculated by the GetMaxLength() methods of the individual converters. If the
conversion fails, the scanner appends replacement characters to the buffer
without doing any length checking.

Boris Zbarsky [:bzbarsky]

Comment 1

•

20 years ago

We have a bug on this already, somewhere.

Simon Montagu :smontagu

Assignee

Comment 2

•

20 years ago

Oops, so we do; I was even cc-ed to it already.

*** This bug has been marked as a duplicate of 244177 ***

Status: NEW → RESOLVED

Closed: 20 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

20 years ago

Whiteboard: [sg:dupe 244177]

Daniel Veditz [:dveditz]

Updated

•

19 years ago

Group: security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Guard against buffer overruns in nsScanner::Append

Categories

(Core :: Internationalization, defect)

Tracking

()

People

(Reporter: smontagu, Assigned: smontagu)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 244177])

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Updated