CID 1136430: Out-of-bounds access as found by Coverity

RESOLVED FIXED in mozilla33

Status

()

Core
JavaScript Engine
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

({coverity})

Trunk
mozilla33
coverity
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
+++ This bug was initially created as a clone of Bug #1037890 +++

Coverity analysis of source code in js/src has found an Out-of-bounds access.


3656    if (!typeScript)
3657        return false;
3658
3659    new(typeScript) TypeScript();
3660
    
2. derived_to_base: Converting derived class pointer typeScript->typeArray() of type js::types::ConstraintTypeSet * (24 bytes) to base class pointer type js::types::TypeSet * (16 bytes).
    
3. assign: Assigning: typeArray = typeScript->typeArray().
3661    TypeSet *typeArray = typeScript->typeArray();
3662
    
4. Condition i < count, taking true branch
3663    for (unsigned i = 0; i < count; i++)
    
CID 1136430 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)5. ptr_arith: Using typeArray as an array. This might corrupt or misinterpret adjacent memory locations.
3664        new (&typeArray[i]) StackTypeSet();
3665
3666    types = typeScript;

in file js/src/jsinfer.cpp .

Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)
Flags: needinfo?(jdemooij)
Group: javascript-core-security
Clever find. TypeScript is zero-initialized and the TypeSet/StackTypeSet constructors also write zero so I *think* this is harmless atm.

Looks like

TypeSet *typeArray = typeScript->typeArray();

Should be StackTypeSet *typeArray.
Flags: needinfo?(jdemooij) → needinfo?(bhackett1024)
(Assignee)

Comment 2

4 years ago
Created attachment 8456528 [details] [diff] [review]
patch

Yeah, this is harmless.
Assignee: nobody → bhackett1024
Attachment #8456528 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
(Assignee)

Updated

4 years ago
Group: core-security

Updated

4 years ago
Attachment #8456528 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/2f62414fe13f
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.