Closed
Bug 1143281
Opened 9 years ago
Closed 9 years ago
Assertion failure: isString(), at dist/include/js/Value.h:1230
Categories
(Core :: js-ctypes, defect)
Core
js-ctypes
Tracking
()
RESOLVED
FIXED
mozilla39
Tracking | Status | |
---|---|---|
firefox39 | --- | fixed |
People
(Reporter: arai, Unassigned)
Details
Attachments
(1 file)
1.47 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
in StructType::AddressOfField, args[0].toString() is called without checking args[0].isString(), and it causes assertion failure when args[0] is not a string. https://hg.mozilla.org/mozilla-central/file/38154607d807/js/src/ctypes/CTypes.cpp#l5344 > JSFlatString *str = JS_FlattenString(cx, args[0].toString()); > if (!str) > return false; Testcase: ctypes.StructType("a", [ { "x": ctypes.int32_t, } ])().addressOfField(1); I guess it's not so dangerous, since it's accessible only from js-ctypes, but marking as security just to be safe.
Reporter | ||
Comment 1•9 years ago
|
||
Error message detail will be fixed in bug 891107.
Attachment #8577589 -
Flags: review?(jorendorff)
Comment 2•9 years ago
|
||
Comment on attachment 8577589 [details] [diff] [review] Check argument type in StructType.prototype.addressOfField. Review of attachment 8577589 [details] [diff] [review]: ----------------------------------------------------------------- Good patch. Thanks!
Attachment #8577589 -
Flags: review?(jorendorff) → review+
Comment 3•9 years ago
|
||
Clearing s-g. Letting user input reach addressOfField would already be pretty crazy.
Group: core-security
Reporter | ||
Comment 4•9 years ago
|
||
Thank you for reviewing! Try run was green: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c61ddb0a1371 and pushed to m-i: https://hg.mozilla.org/integration/mozilla-inbound/rev/5bdf6276a3b7
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5bdf6276a3b7
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•