Anton Bobrov wrote:
Rich, i'm a wee bit confused with the diffs. what has happened
to original patch with setting rc to LBER_DEFAULT upon *alloc
errors when breaking out ? and freeing when realloc fails ?
or am i looking at the wrong diffs ?
Sorry. I forgot to update both bugs with the new diffs. They are both
updated now with the new diffs.
Rich Megginson wrote:
Bug 324525: Memory error in ber_get_stringal/ber_bvfree
Bug 324529: ber_scanf() needs to check for NULL return from
malloc/realloc
https://bugzilla.mozilla.org/show_bug.cgi?id=324525
https://bugzilla.mozilla.org/show_bug.cgi?id=324529
The bugs are very closely related, and it's hard to disentagle the
diffs, so two bugs for the price of one.
File: ldap/libraries/liblber/decode.c
Diffs: https://bugzilla.mozilla.org/attachment.cgi?id=209858
If ber_get_stringal encounters a bad BER tag after allocating the berval
but before assigning to the bv_val, it will short circuit and return
leaving the bv_val uninitialized. If the caller then calls ber_bvfree
to free the berval*, it will attempt to free bv_val and therefore free
uninitialized memory. There is a similar problem in ber_scanf in the
'v' case. Memory is allocated for the string array, but the string
being read is not initialized first before calling ber_get_stringa,
which may return in the case of a BER error, which will abort the vector
reading, returning uninitialized memory to the caller to free. We
cannot rely on calloc here since we may use realloc and AFAIK there is
no recalloc.
ber_scanf needs to check for a null return from malloc/realloc and abort
processing of the vector 'v' or 'V'.
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
