Closed
Bug 740609
Opened 12 years ago
Closed 12 years ago
Crash [@ JS_HashString] under js::SaveScriptFilename
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: jruderman, Assigned: billm)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos null deref])
Attachments
(3 files)
Might be a regression from bug 739694.
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
Hmph, apparently script->filename can be null.
Assignee: nobody → general
Component: jemalloc → JavaScript Engine
QA Contact: jemalloc → general
Comment 3•12 years ago
|
||
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?
Comment 4•12 years ago
|
||
JS_HashString starts touching at offset 0, so safe low-memory fault.
Updated•12 years ago
|
Group: core-security
Whiteboard: [sg:dos null deref]
Assignee | ||
Updated•12 years ago
|
Assignee: general → wmccloskey
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #614210 -
Flags: review?(luke)
Updated•12 years ago
|
Attachment #614210 -
Flags: review?(luke) → review+
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8cf633d7a031
Target Milestone: --- → mozilla14
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8cf633d7a031
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•