Closed
Bug 311629
Opened 19 years ago
Closed 19 years ago
stack overflow (in UnaryExpr? )
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8rc1
People
(Reporter: Mook, Assigned: mrbkap)
Details
(Keywords: crash, verified1.8)
Attachments
(1 file)
805 bytes,
patch
|
mrbkap
:
review+
asa
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
Tested to occur on: 1.0.7 (Win32, release); Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1 Steps to reproduce: 1. perl -e 'print "+ " x 60000 ;' > test.txt 1a. Somehow get a string of "+ " repeated 60 000 times otherwise :) 2. copy the contents of test.txt into the JS console and click on Evaluate 3. crash Expected Results Error in JS console, and not crash. Actual Results. Crash Discussion: This is remotely exploitable (crash also happens in <script> tags on content pages). Dataloss, I guess. First few lines of talkback: (TB10376057Q, TB10376528Q, TB10376612X) GetChar [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c, line 362] js_GetToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c, line 1294] UnaryExpr [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764] UnaryExpr [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764] UnaryExpr [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764] UnaryExpr [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764] ... etc. Same stack (different line numbers - 303/774/2592) for 1.0.7 (Thanks to Tonglebeak and ispiked on #firefox for the help)
Assignee | ||
Comment 1•19 years ago
|
||
On IRC, #content, [ brendan]: so r=me on the CHECK_RECURSION
Assignee | ||
Updated•19 years ago
|
Assignee | ||
Updated•19 years ago
|
Attachment #198894 -
Attachment description: Add a neede check → Add a needed check
Updated•19 years ago
|
Severity: normal → critical
Comment 2•19 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-311629.js,v <-- regress-311629.js initial revision: 1.1
Flags: testcase+
Comment 3•19 years ago
|
||
Ideally safe fix for 1.8rc1. This should go on the trunk ASAP. Thanks, /be
Flags: blocking1.8rc1+
Assignee | ||
Comment 4•19 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Attachment #198894 -
Flags: approval1.8rc1?
Comment 5•19 years ago
|
||
Should this go on the 1.7/aviary branches as well?
Comment 6•19 years ago
|
||
(In reply to comment #5) > Should this go on the 1.7/aviary branches as well? Can't hurt, but it's not needed for security against remote exploit, or for XSS or privacy protection -- just for DOS prevention. /be
Updated•19 years ago
|
Attachment #198894 -
Flags: approval1.8rc1? → approval1.8rc1+
Comment 7•19 years ago
|
||
Blake, can you get this checked into the branch? Thanks.
Assignee | ||
Updated•19 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
You need to log in
before you can comment on or make changes to this bug.
Description
•