Closed
Bug 1168091
Opened 9 years ago
Closed 9 years ago
Potential use of uninitialized class member js::frontend::FunctionBox::startLine in template <> bool Parser<SyntaxParseHandler>::finishFunctionDefinition(Node, FunctionBox* ,Node, Node)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: bshas3, Assigned: bhackett1024)
Details
Attachments
(2 files)
1.21 MB,
text/html
|
Details | |
892 bytes,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Steps to reproduce: Clang SA bug report attached. If tokenStream.getToken(&tt) returns false, class member startLine will not be initialized. Actual results: Buggy line: LazyScript::CreateRaw(context, fun, numFreeVariables, numInnerFunctions, versionNumber(), funbox->bufStart, funbox->bufEnd, funbox->startLine, funbox->startColumn) in Function: Parser<SyntaxParseHandler>::finishFunctionDefinition(Node, FunctionBox* , Node , Node) Potential call stack [Innermost call first]: js::frontend::Parser<js::frontend::SyntaxParseHandler>::finishFunctionDefinition(js::frontend::SyntaxParseHandler::Node, js::frontend::FunctionBox*, js::frontend::SyntaxParseHandler::Node, js::frontend::SyntaxParseHandler::Node) js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::SyntaxParseHandler::Node, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind) js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::InHandling, js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<js::PropertyName*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt(js::frontend::YieldHandling) js::frontend::Parser<js::frontend::FullParseHandler>::statement(js::frontend::YieldHandling, bool) js::frontend::Parser<js::frontend::FullParseHandler>::statements(js::frontend::YieldHandling) js::frontend::Parser<js::frontend::FullParseHandler>::parse(JSObject*) Expected results: Initialize startLine earlier, possibly before call to getToken.
Updated•9 years ago
|
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Updated•9 years ago
|
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 2•9 years ago
|
||
Brian, could you look at this? It looks related to lazy parsing. Off-hand I would guess that the line number of a script being random junk wouldn't cause security issues, but I can't tell for sure. Thanks.
Flags: needinfo?(jwalden+bmo) → needinfo?(bhackett1024)
Assignee | ||
Comment 3•9 years ago
|
||
This isn't related to lazy parsing. The FunctionBox constructor initializes all members except startLine and startColumn, and expects setStart to be called on it at some point. I don't know what getToken() call the static analysis is referring to, but if that function returns false then we ran out of memory or hit an illegal token and will be unwinding the stack without trying to do any more work. So I think this is a false positive and even if it were a true positive it should be benign --- the line number and column are I think only used for error reporting. But all in all it's best to just fix the sloppiness in FunctionBox's constructor, as this patch does.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8663321 -
Flags: review?(jorendorff)
Updated•9 years ago
|
Group: javascript-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•9 years ago
|
||
Comment on attachment 8663321 [details] [diff] [review] initialize members Review of attachment 8663321 [details] [diff] [review]: ----------------------------------------------------------------- Yep, agreed all the way through. Default startLine to 1, though.
Attachment #8663321 -
Flags: review?(jorendorff) → review+
https://hg.mozilla.org/mozilla-central/rev/ae9350460480
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Reporter | ||
Comment 7•9 years ago
|
||
Just curious: Does this bug report get a security rating because of the garbage read?
Comment 8•9 years ago
|
||
(In reply to Bhargava Shastry from comment #7) > Just curious: Does this bug report get a security rating because of the > garbage read? From comment 3, it sounds like that this uninitialized read would only result in a bogus line or column number being reported for some JS code, so it is not a security issue.
Updated•6 years ago
|
Flags: needinfo?(dveditz)
You need to log in
before you can comment on or make changes to this bug.
Description
•