Closed Bug 1143281 Opened 9 years ago Closed 9 years ago

Assertion failure: isString(), at dist/include/js/Value.h:1230

Categories

(Core :: js-ctypes, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox39 --- fixed

People

(Reporter: arai, Unassigned)

Details

Attachments

(1 file)

in StructType::AddressOfField, args[0].toString() is called without checking args[0].isString(), and it causes assertion failure when args[0] is not a string.

https://hg.mozilla.org/mozilla-central/file/38154607d807/js/src/ctypes/CTypes.cpp#l5344
>  JSFlatString *str = JS_FlattenString(cx, args[0].toString());
>  if (!str)
>    return false;

Testcase:
  ctypes.StructType("a", [ { "x": ctypes.int32_t, } ])().addressOfField(1);

I guess it's not so dangerous, since it's accessible only from js-ctypes, but marking as security just to be safe.
Error message detail will be fixed in bug 891107.
Attachment #8577589 - Flags: review?(jorendorff)
Comment on attachment 8577589 [details] [diff] [review]
Check argument type in StructType.prototype.addressOfField.

Review of attachment 8577589 [details] [diff] [review]:
-----------------------------------------------------------------

Good patch. Thanks!
Attachment #8577589 - Flags: review?(jorendorff) → review+
Clearing s-g. Letting user input reach addressOfField would already be pretty crazy.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/5bdf6276a3b7
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: