Closed
Bug 1037890
Opened 11 years ago
Closed 11 years ago
CID 1225481: Out-of-bounds read as found by Coverity
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1037718
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | affected |
People
(Reporter: gkw, Assigned: jorendorff)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, regression, sec-high)
+++ This bug was initially created as a clone of Bug #1037889 +++
Coverity analysis of source code in js/src has found an Out-of-bounds read.
445JS_PUBLIC_API(const char *)
446JS_GetTypeName(JSContext *cx, JSType type)
447{
1. Condition (unsigned int)type >= 8U /* (unsigned int)JSTYPE_LIMIT */, taking false branch
2. cond_at_most: Checking (unsigned int)type >= 8U implies that type has the value which may be up to 7 on the false branch.
448 if ((unsigned)type >= (unsigned)JSTYPE_LIMIT)
449 return nullptr;
CID 1225481 (#1 of 1): Out-of-bounds read (OVERRUN)3. overrun-local: Overrunning array js::TypeStrings of 7 8-byte elements at element index 7 (byte offset 56) using index type (which evaluates to 7).
450 return TypeStrings[type];
451}
Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)
Flags: needinfo?(jdemooij)
|
||
Comment 1•11 years ago
|
||
Ah, nice find! js::TypeStrings is missing an entry for symbols, this is fallout from bug 645416.
We should add a (static) assert to prevent this in the future.
Flags: needinfo?(jdemooij) → needinfo?(jorendorff)
|
Reporter | |
Updated•11 years ago
|
Summary: CID 1225481: Out-of-bounds read as found by Coverity → CID 1225481: Out-of-bounds read as found by Coverity
|
||
Updated•11 years ago
|
Group: javascript-core-security
|
||
Comment 3•11 years ago
|
||
Jason any thoughts on the security implications here?
|
|
||
Updated•11 years ago
|
Blocks: harmony:symbols
Keywords: sec-high
|
|
||
Updated•11 years ago
|
Keywords: testcase-wanted
|
|
||
Comment 4•11 years ago
|
||
Same issue as bug 1037718. The other bug has a patch so duping forward.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•11 years ago
|
Keywords: testcase-wanted
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•7 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•