commit d5c0b2a58e569fb04262b8d8f5ddcb9e5857d264
parent b55def863513a55dff1de8e1992b2f46e15febad
Author: Mike Hommey <mh+mozilla@glandium.org>
Date: Fri, 2 Jan 2026 09:56:40 +0000
Bug 2007971 - Don't use UrlpOptions uninitialized. r=necko-reviewers,kershaw
Ultimately, we end up on this code on the rust end of the FFI:
let flags = if options.ignore_case { "ui" } else { "u" };
and the rust compiler optimizes the string length initialization to
options.ignore_case + 1
When the UrlpOptions is uninitialized, `ignore_case` can be a value
different from the expected 0 or 1, leading to a string length bigger
than it's supposed to be, leading the a buffer overflow reading the
string.
Differential Revision: https://phabricator.services.mozilla.com/D277633
Diffstat:
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/netwerk/cache2/Dictionary.cpp b/netwerk/cache2/Dictionary.cpp
@@ -168,7 +168,7 @@ bool DictionaryCacheEntry::Match(const nsACString& aFilePath,
dom::InternalRequest::MapContentPolicyTypeToRequestDestination(
aType)) != mMatchDest.NoIndex) {
UrlpPattern pattern;
- UrlpOptions options;
+ UrlpOptions options{};
const nsCString base(mURI);
if (!urlp_parse_pattern_from_string(&mPattern, &base, options,
&pattern)) {
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -6276,7 +6276,7 @@ bool nsHttpChannel::ParseDictionary(nsICacheEntry* aEntry,
// Verify if the matchVal has regexp groups. If so, reject it
UrlpPattern pattern;
- UrlpOptions options;
+ UrlpOptions options{};
if (!urlp_parse_pattern_from_string(&matchVal, &mSpec, options, &pattern)) {
LOG_DICTIONARIES(
("Failed to parse dictionary pattern %s", matchVal.get()));
