diff options
author | John M. Schanck <jschanck@mozilla.com> | 2022-03-23 18:07:30 +0000 |
---|---|---|
committer | John M. Schanck <jschanck@mozilla.com> | 2022-03-23 18:07:30 +0000 |
commit | abb64a86f852793998bd67100aec58405fb4b9d7 (patch) | |
tree | a7fe4deaa8c83d208b1fb81ff832e00ce1accf64 | |
parent | a02dc073b60adaf989c3c970b7282bfeb3933812 (diff) | |
download | nss-hg-abb64a86f852793998bd67100aec58405fb4b9d7.tar.gz |
Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. r=rrelyea
The `stateEnd->parent != state` check was added in Bug 95458 to avoid a crash
in `sec_asn1d_free_child`. The diagnosis in Bug 95458 is incorrect---the crash
was actually due to a `PORT_Assert(0)` that was meant to highlight a memory
leak when `SEC_ASN1DecoderStart` was called with `their_pool==NULL`. The
offending assertion was removed in Bug 95311, which makes the `stateEnd` check
obsolete. In Bug 1753535 it was observed that the `stateEnd` check could read
from a poisoned region of an arena when the decoder was used in a streaming
mode. This read-after-poison could lead to an arena memory leak, although this
is mitigated by the fact that the read-after-poison is on an error-handling path
where the caller typically frees the entire arena.
Differential Revision: https://phabricator.services.mozilla.com/D140861
-rw-r--r-- | lib/util/secasn1d.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c index bb1887f7c..9b5586228 100644 --- a/lib/util/secasn1d.c +++ b/lib/util/secasn1d.c @@ -2750,7 +2750,6 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx, sec_asn1d_state *state = NULL; unsigned long consumed; SEC_ASN1EncodingPart what; - sec_asn1d_state *stateEnd = cx->current; if (cx->status == needBytes) cx->status = keepGoing; @@ -2939,7 +2938,7 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx, } if (cx->status == decodeError) { - while (state != NULL && stateEnd->parent != state) { + while (state != NULL) { sec_asn1d_free_child(state, PR_TRUE); state = state->parent; } |