Closed Bug 1037898 Opened 6 years ago Closed 6 years ago

CID 1136430: Out-of-bounds access as found by Coverity

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla33

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1037890 +++

Coverity analysis of source code in js/src has found an Out-of-bounds access.


3656    if (!typeScript)
3657        return false;
3658
3659    new(typeScript) TypeScript();
3660
    
2. derived_to_base: Converting derived class pointer typeScript->typeArray() of type js::types::ConstraintTypeSet * (24 bytes) to base class pointer type js::types::TypeSet * (16 bytes).
    
3. assign: Assigning: typeArray = typeScript->typeArray().
3661    TypeSet *typeArray = typeScript->typeArray();
3662
    
4. Condition i < count, taking true branch
3663    for (unsigned i = 0; i < count; i++)
    
CID 1136430 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)5. ptr_arith: Using typeArray as an array. This might corrupt or misinterpret adjacent memory locations.
3664        new (&typeArray[i]) StackTypeSet();
3665
3666    types = typeScript;

in file js/src/jsinfer.cpp .

Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)
Flags: needinfo?(jdemooij)
Group: javascript-core-security
Clever find. TypeScript is zero-initialized and the TypeSet/StackTypeSet constructors also write zero so I *think* this is harmless atm.

Looks like

TypeSet *typeArray = typeScript->typeArray();

Should be StackTypeSet *typeArray.
Flags: needinfo?(jdemooij) → needinfo?(bhackett1024)
Attached patch patchSplinter Review
Yeah, this is harmless.
Assignee: nobody → bhackett1024
Attachment #8456528 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Group: core-security
Attachment #8456528 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/2f62414fe13f
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.