Closed
Bug 493290
Opened 15 years ago
Closed 15 years ago
Data from Faulting Address controls Branch Selection starting at js3250!js_DeepBail+0xd1
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 492487
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, Whiteboard: [sg:dupe 492487])
Steps to reproduce: -> Load http://search.yahoo.com/search?p=Driver+Training+%28Behind+the+Wheel%29+&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8 --> Crash Crashes 1.9.1 opt/debug builds Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre - trunk seems fine. Marking as security bug for now, because: Exploitability Classification: UNKNOWN (f0c.8e4): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=0527d878 ecx=071d1d5c edx=00e72c50 esi=0012bb90 edi=00000026 eip=005e2ce1 esp=0012b85c ebp=0012b86c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 js3250!js_DeepBail+0xd1: 005e2ce1 83b80002000000 cmp dword ptr [eax+200h],0 ds:0023:00000200=???????? ChildEBP RetAddr 0012b86c 004c3680 js3250!js_DeepBail+0xd1 0012b878 004c431c js3250!js_LeaveTrace+0x20 0012b884 004c42ad js3250!js_GetTopStackFrame+0xc 0012b894 004c4cec js3250!PopulateReportBlame+0xd 0012b8dc 004b414b js3250!js_ReportErrorNumberVA+0x4c 0012b908 0057c994 js3250!JS_ReportErrorFlagsAndNumberUC+0x2b 0012b928 0057da65 js3250!ReportRegExpErrorHelper+0x54 0012b948 0057d16e js3250!ProcessOp+0x245 0012b9a8 0057cc55 js3250!ParseRegExp+0x39e 0012b9c4 0057b6d7 js3250!CompileRegExpToAST+0x1c5 0012ba64 0057fb99 js3250!js_NewRegExp+0x47 0012baa4 00589d78 js3250!js_NewRegExpOpt+0x249 0012bb04 0058a74e js3250!regexp_compile_sub+0x4d8 0012bb40 05fb7eeb js3250!RegExp_tn2+0x7e WARNING: Frame IP not in any known module. Following frames may be wrong. 0012bb84 7c91005d 0x5fb7eeb 0012e158 005ddfae ntdll!RtlFreeHeap+0x130 0012e1a4 0050cbb0 js3250!js_MonitorLoopEdge+0x2de 0012e860 00503cff js3250!js_Interpret+0x6810 0012e940 004f4e55 js3250!js_Invoke+0x99f 0012e978 0051658c js3250!js_fun_call+0x1b5 quit:
Flags: blocking1.9.1?
Comment 1•15 years ago
|
||
I don't get a crash with TM tip. Can anyone reproduce this?
Comment 2•15 years ago
|
||
I can on 1.9.1, but not tracemonkey on mac.
Comment 3•15 years ago
|
||
is this the same as https://bugzilla.mozilla.org/show_bug.cgi?id=492487
Comment 4•15 years ago
|
||
This is like a GC hazard in the native invocation path which was recently fixed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Flags: blocking1.9.1?
Updated•15 years ago
|
Whiteboard: [sg:dupe 492487]
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
You need to log in
before you can comment on or make changes to this bug.
Description
•