Closed Bug 311629 Opened 19 years ago Closed 19 years ago

stack overflow (in UnaryExpr? )

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: Mook, Assigned: mrbkap)

Details

(Keywords: crash, verified1.8)

Attachments

(1 file)

Add a needed check
805 bytes, patch
mrbkap
: review+
asa
: approval1.8rc1+
Details | Diff | Splinter Review 
Tested to occur on:
1.0.7 (Win32, release);
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007
Firefox/1.6a1

Steps to reproduce:
1. perl -e 'print "+ " x 60000 ;' > test.txt
  1a. Somehow get a string of "+ " repeated 60 000 times otherwise :)
2. copy the contents of test.txt into the JS console and click on Evaluate
3. crash

Expected Results
Error in JS console, and not crash.

Actual Results.
Crash

Discussion:
This is remotely exploitable (crash also happens in <script> tags on content
pages).  Dataloss, I guess.

First few lines of talkback: (TB10376057Q, TB10376528Q, TB10376612X)
GetChar  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c,
line 362]
js_GetToken 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c, line 1294]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
... etc.  Same stack (different line numbers - 303/774/2592) for 1.0.7

(Thanks to Tonglebeak and ispiked on #firefox for the help)
On IRC, #content,
[   brendan]: so r=me on the CHECK_RECURSION
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #198894 - Flags: review+
Attachment #198894 - Attachment description: Add a neede check → Add a needed check
Severity: normal → critical
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-311629.js,v  <--  regress-311629.js
initial revision: 1.1
Flags: testcase+
Ideally safe fix for 1.8rc1.  This should go on the trunk ASAP.  Thanks,

/be
Flags: blocking1.8rc1+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #198894 - Flags: approval1.8rc1?
Should this go on the 1.7/aviary branches as well?
(In reply to comment #5)
> Should this go on the 1.7/aviary branches as well?

Can't hurt, but it's not needed for security against remote exploit, or for XSS
or privacy protection -- just for DOS prevention.

/be
Attachment #198894 - Flags: approval1.8rc1? → approval1.8rc1+
Blake, can you get this checked into the branch? Thanks.
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
verified fixed 1.8.x and trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: