New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 776293 link

Starred by 1 user
Status: Fixed
Owner:
roc...@chromium.org
please use my google.com address
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Posible access to unintended variable in "mojo/edk/system/core.cc" line 971

Reported by pet...@gmail.com, Oct 19 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce the problem:
While experimenting with a CodeSonar plugin we develop, we noticed a
potential bug in file "mojo/edk/system/core.cc" line 971 method Core::DuplicateBufferHandle

*new_buffer_handle = AddDispatcher(new_dispatcher);
if (*new_buffer_handle == MOJO_HANDLE_INVALID) {
    LOG(ERROR) << "Handle table full";
    dispatcher->Close();                     //HERE
    return MOJO_RESULT_RESOURCE_EXHAUSTED;
}

Shouldn't new_dispatcher be closed (instead of dispatcher) since it is the one that cannot be added to the table? 

Thanks,
Petru Florin Mihancea

What is the expected behavior?

What went wrong?
The problem has been detected automatically via static analysis.

Did this work before? N/A 

Chrome version: Master branch  Channel: n/a
OS Version: OS X 10.12
Flash Version: Shockwave Flash 27.0 r0

Comment 1 by rsesek@chromium.org, Oct 20 2017

Components: Internals>Mojo
Labels: -OS-Mac

Comment 2 by yzshen@chromium.org, Oct 20 2017

Cc: roc...@chromium.org

Comment 3 by roc...@chromium.org, Oct 23 2017

Cc: -roc...@chromium.org
Owner: roc...@chromium.org
Status: Started (was: Unconfirmed)
Thanks, good catch! This is code definitely incorrect as-is.
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/027bc13a7481ee005d535e7fcd433990a0924343

commit 027bc13a7481ee005d535e7fcd433990a0924343
Author: Ken Rockot <rockot@chromium.org>
Date: Mon Oct 23 19:45:44 2017

Fix MojoDuplicateBufferHandle failure behavior

If handle duplication fails due to handle exhaustion we would
incorrectly close the source handle's dispatcher rather than
the newly allocated dispatcher. That's no good, and this does the
right thing instead.

In practice it's unlikely that an instance of Chrome has ever
actually run out of Mojo handles (and many other things would
break as a result in that case anyway), so this is merely fixing
a hypothetical bug.

Bug:  776293 
Change-Id: I4872d10b7261721d6f99836ec95c80d4ed385d77
Reviewed-on: https://chromium-review.googlesource.com/733851
Reviewed-by: Jay Civelli <jcivelli@chromium.org>
Commit-Queue: Ken Rockot <rockot@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510876}
[modify] https://crrev.com/027bc13a7481ee005d535e7fcd433990a0924343/mojo/edk/system/core.cc

Comment 5 by roc...@chromium.org, Oct 23 2017

Status: Fixed (was: Started)

Sign in to add a comment