Closed
Bug 1037898
Opened 10 years ago
Closed 10 years ago
CID 1136430: Out-of-bounds access as found by Coverity
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: gkw, Assigned: bhackett1024)
References
(Blocks 1 open bug)
Details
(Keywords: coverity)
Attachments
(1 file)
1.05 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1037890 +++ Coverity analysis of source code in js/src has found an Out-of-bounds access. 3656 if (!typeScript) 3657 return false; 3658 3659 new(typeScript) TypeScript(); 3660 2. derived_to_base: Converting derived class pointer typeScript->typeArray() of type js::types::ConstraintTypeSet * (24 bytes) to base class pointer type js::types::TypeSet * (16 bytes). 3. assign: Assigning: typeArray = typeScript->typeArray(). 3661 TypeSet *typeArray = typeScript->typeArray(); 3662 4. Condition i < count, taking true branch 3663 for (unsigned i = 0; i < count; i++) CID 1136430 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)5. ptr_arith: Using typeArray as an array. This might corrupt or misinterpret adjacent memory locations. 3664 new (&typeArray[i]) StackTypeSet(); 3665 3666 types = typeScript; in file js/src/jsinfer.cpp . Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)
Flags: needinfo?(jdemooij)
Updated•10 years ago
|
Group: javascript-core-security
Comment 1•10 years ago
|
||
Clever find. TypeScript is zero-initialized and the TypeSet/StackTypeSet constructors also write zero so I *think* this is harmless atm. Looks like TypeSet *typeArray = typeScript->typeArray(); Should be StackTypeSet *typeArray.
Flags: needinfo?(jdemooij) → needinfo?(bhackett1024)
Assignee | ||
Comment 2•10 years ago
|
||
Yeah, this is harmless.
Assignee: nobody → bhackett1024
Attachment #8456528 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Assignee | ||
Updated•10 years ago
|
Group: core-security
Updated•10 years ago
|
Attachment #8456528 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2f62414fe13f
https://hg.mozilla.org/mozilla-central/rev/2f62414fe13f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•