Closed Bug 1037890 Opened 6 years ago Closed 6 years ago

CID 1225481: Out-of-bounds read as found by Coverity

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1037718
Tracking Status
firefox33 --- affected

People

(Reporter: gkw, Assigned: jorendorff)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, regression, sec-high)

+++ This bug was initially created as a clone of Bug #1037889 +++

Coverity analysis of source code in js/src has found an Out-of-bounds read.


445JS_PUBLIC_API(const char *)
446JS_GetTypeName(JSContext *cx, JSType type)
447{
   
1. Condition (unsigned int)type >= 8U /* (unsigned int)JSTYPE_LIMIT */, taking false branch
   
2. cond_at_most: Checking (unsigned int)type >= 8U implies that type has the value which may be up to 7 on the false branch.
448    if ((unsigned)type >= (unsigned)JSTYPE_LIMIT)
449        return nullptr;
   
CID 1225481 (#1 of 1): Out-of-bounds read (OVERRUN)3. overrun-local: Overrunning array js::TypeStrings of 7 8-byte elements at element index 7 (byte offset 56) using index type (which evaluates to 7).
450    return TypeStrings[type];
451}

Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)
Flags: needinfo?(jdemooij)
Ah, nice find! js::TypeStrings is missing an entry for symbols, this is fallout from bug 645416.

We should add a (static) assert to prevent this in the future.
Flags: needinfo?(jdemooij) → needinfo?(jorendorff)
Summary: CID 1225481: Out-of-bounds read as found by Coverity → CID 1225481: Out-of-bounds read as found by Coverity
Group: javascript-core-security
Taking.
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
Jason any thoughts on the security implications here?
Same issue as bug 1037718. The other bug has a patch so duping forward.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1037718
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.