1037890 - CID 1225481: Out-of-bounds read as found by Coverity

Status: RESOLVED DUPLICATE of bug 1037718

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

+++ This bug was initially created as a clone of Bug #1037889 +++

Coverity analysis of source code in js/src has found an Out-of-bounds read.


445JS_PUBLIC_API(const char *)
446JS_GetTypeName(JSContext *cx, JSType type)
447{
   
1. Condition (unsigned int)type >= 8U /* (unsigned int)JSTYPE_LIMIT */, taking false branch
   
2. cond_at_most: Checking (unsigned int)type >= 8U implies that type has the value which may be up to 7 on the false branch.
448    if ((unsigned)type >= (unsigned)JSTYPE_LIMIT)
449        return nullptr;
   
CID 1225481 (#1 of 1): Out-of-bounds read (OVERRUN)3. overrun-local: Overrunning array js::TypeStrings of 7 8-byte elements at element index 7 (byte offset 56) using index type (which evaluates to 7).
450    return TypeStrings[type];
451}

Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)

Comment 1

[Jan de Mooij [:jandem]]

Ah, nice find! js::TypeStrings is missing an entry for symbols, this is fallout from bug 645416.

We should add a (static) assert to prevent this in the future.

Comment 2

[Jason Orendorff [:jorendorff]]

Taking.

Comment 3

[David Bolter [:davidb] (NeedInfo me for attention)]

Jason any thoughts on the security implications here?

Comment 4

[Jan de Mooij [:jandem]]

Same issue as bug 1037718. The other bug has a patch so duping forward.