Closed Bug 1019940 Opened 11 years ago Closed 4 years ago

Buffer overflow in ucol_buildPermutationTable

Categories

(Core :: JavaScript: Internationalization API, defect)

Product:
Core
Component:
JavaScript: Internationalization API
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mccr8, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, csectype-bounds, sec-low)

reorderCode can end up being equal to 256, so we end up writing a 1 right past the end of the array. Doesn't seem like it could be super dangerous. code: // lead bytes that have alread been assigned to the permutation table bool newLeadByteUsed[256]; ... int reorderCode = 0; for (int i = 0; i < 256; i++) { if (!permutationSlotFilled[i]) { while (reorderCode < 256 && newLeadByteUsed[reorderCode]) { reorderCode++; } ... newLeadByteUsed[reorderCode] = true;
Keywords: sec-low
Group: core-security → javascript-core-security

Fixed by Bug 1075758 (Update ICU to 55.1)

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: javascript-core-security → core-security-release
Depends on: 1075758
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.