Closed Bug 740609 Opened 12 years ago Closed 12 years ago

Crash [@ JS_HashString] under js::SaveScriptFilename

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: jruderman, Assigned: billm)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos null deref])

Attachments

(3 files)

testcase (crashes Firefox when loaded)
315 bytes, text/html
Details
stack trace
9.02 KB, text/plain
Details
patch
1.34 KB, patch
luke
: review+
Details | Diff | Splinter Review 
Might be a regression from bug 739694.
Attached file stack trace 

    
    

    
  
Hmph, apparently script->filename can be null.
Assignee: nobody → general
Component: jemalloc → JavaScript Engine
QA Contact: jemalloc → general

    
    

    
  
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?

    
    

    
  
JS_HashString starts touching at offset 0, so safe low-memory fault.
Group: core-security
Whiteboard: [sg:dos null deref]
Assignee: general → wmccloskey

    
  

        Attachment #614210 -
        Flags: review?(luke) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8cf633d7a031
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: