Closed Bug 1019892 Opened 10 years ago Closed 10 years ago

propFlags is uninitialized in jsd_GetValueProperty if JS_GetPropertyById returns null

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mccr8, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, csectype-uninitialized) 

I don't know how bad this is.
Keywords: coverity
How bad is this?  Setting a property with random garbage flags sounds bad...
Flags: needinfo?(sphink)
This is using the old JS debugger interface, and I think it only happens on a particular OOM, so it doesn't seem too dangerous.
Keywords: sec-moderate
Uh, am I reading this wrong? The way I read it, propFlags is uninitialized in the *success* case. Which would be much worse, of course. The logic I see is

  if (!JS_GetPropertyById()) {
    propFlags = JSPD_EXCEPTION or JSPD_ERROR;
    propValue = JSVAL_VOID or uninitialized;
  } else {
    propFlags = uninitialized;
    propValue = value;
  }
  propFlags |= some stuff;
  return _newProperty(...propValue, propFlags...);

Oh. Except this is all pretty innocuous. We're not creating any properties here. We're just making a JSD reflection of a property. If it has the wrong flags, it'll only make the debugger display the wrong thing or something. I don't know if anyone ever even looks at these flags. (Probably not, if they're usually wrong!)
Flags: needinfo?(sphink)
Ah, ok.  It sounds like this doesn't need to be a security bug.  Thanks for the analysis!
Group: core-security
Keywords: sec-moderatecsectype-uninitialized
Depends on: 800200
Has the affected code been removed now with Bug 800200 being fixed, i.e. can this bug be closed?
Sounds good to me.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.