Closed
Bug 246450
Opened 20 years ago
Closed 20 years ago
Guard against buffer overruns in nsScanner::Append
Categories
(Core :: Internationalization, defect)
Core
Internationalization
Tracking
()
RESOLVED
DUPLICATE
of bug 244177
People
(Reporter: smontagu, Assigned: smontagu)
References
()
Details
(Whiteboard: [sg:dupe 244177])
Spin off from bug 246194. The allocated length of the destination buffer in nsScanner::Append is calculated by the GetMaxLength() methods of the individual converters. If the conversion fails, the scanner appends replacement characters to the buffer without doing any length checking.
![]() |
||
Comment 1•20 years ago
|
||
We have a bug on this already, somewhere.
Assignee | ||
Comment 2•20 years ago
|
||
Oops, so we do; I was even cc-ed to it already. *** This bug has been marked as a duplicate of 244177 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Whiteboard: [sg:dupe 244177]
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•