Closed
Bug 1412989
Opened 7 years ago
Closed 7 years ago
UBSan: runtime error: index 94 out of bounds for type 'UDataOffsetTOCEntry const[2]' [@ offsetTOCLookupFn]
Categories
(Core :: JavaScript: Internationalization API, defect, P5)
Core
JavaScript: Internationalization API
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox58 | --- | affected |
People
(Reporter: tsmith, Unassigned)
Details
(Keywords: crash, csectype-bounds, csectype-undefined)
This is triggered on start up when building the browser with "-fsanitize=bounds" Perhaps this is a live instance of this issue, https://crash-stats.mozilla.com/report/index/91ee8818-656e-4bb2-ad15-48a0f0171025 /mozilla-central/intl/icu/source/common/ucmndata.cpp:242:56: runtime error: index 94 out of bounds for type 'UDataOffsetTOCEntry const[2]' #0 0x7f38e2365136 in offsetTOCLookupFn(UDataMemory const*, char const*, int*, UErrorCode*) /mozilla-central/intl/icu/source/common/ucmndata.cpp:242:56 #1 0x7f38e23d69be in doLoadFromCommonData(signed char, char const*, char const*, char const*, char const*, char const*, char const*, char const*, signed char (*)(void*, char const*, char const*, UDataInfo const*), void*, UErrorCode*, UErrorCode*) /mozilla-central/intl/icu/source/common/udata.cpp:1056:21 #2 0x7f38e23d544f in doOpenChoice(char const*, char const*, char const*, signed char (*)(void*, char const*, char const*, UDataInfo const*), void*, UErrorCode*) /mozilla-central/intl/icu/source/common/udata.cpp:1326:18 #3 0x7f38e2383cb0 in initAliasData(UErrorCode&) /mozilla-central/intl/icu/source/common/ucnv_io.cpp:242:12 #4 0x7f38e2381f3f in umtx_initOnce /mozilla-central/intl/icu/source/common/umutex.h:267:9 #5 0x7f38e2381f3f in haveAliasData /mozilla-central/intl/icu/source/common/ucnv_io.cpp:314 #6 0x7f38e2381f3f in ucnv_io_countKnownConverters_59 /mozilla-central/intl/icu/source/common/ucnv_io.cpp:1089 #7 0x7f38e23e27db in initData /mozilla-central/intl/icu/source/common/uinit.cpp:57:5 #8 0x7f38e23e27db in umtx_initOnce /mozilla-central/intl/icu/source/common/umutex.h:267 #9 0x7f38e23e27db in u_init_59 /mozilla-central/intl/icu/source/common/uinit.cpp:72 #10 0x7f38f1182ae3 in JS::detail::InitWithFailureDiagnostic(bool) /mozilla-central/js/src/vm/Initialization.cpp:123:5 #11 0x7f38e1eb5bfa in JS_InitWithFailureDiagnostic /mozilla-central/objdir-ff-ubsan/dist/include/js/Initialization.h:85:12 #12 0x7f38e1eb5bfa in NS_InitXPCOM2 /mozilla-central/xpcom/build/XPCOMInit.cpp:676 #13 0x7f38efcb2f9a in ScopedXPCOMStartup::Initialize() /mozilla-central/toolkit/xre/nsAppRunner.cpp:1573:8 #14 0x7f38efcc72bc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4844:22 #15 0x7f38efcc8a33 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4943:21 #16 0x516db8 in do_main /mozilla-central/browser/app/nsBrowserApp.cpp:231:22 #17 0x516db8 in main /mozilla-central/browser/app/nsBrowserApp.cpp:304 #18 0x7f3907dd11c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 #19 0x41f549 in _start (/mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x41f549)
Reporter | ||
Updated•7 years ago
|
Group: javascript-core-security
Reporter | ||
Comment 1•7 years ago
|
||
Marking s-s for now although I'm not sure how exploitable it is.
Comment 2•7 years ago
|
||
This falls in the category "technically undefined behavior, but C programs do it all the time anyway": variable size data, fixed array size in struct type declaration. http://searchfox.org/mozilla-central/source/intl/icu/source/common/ucmndata.h#55 File it upstream if anyone's worried; the same code is in ICU trunk.
Group: javascript-core-security
Priority: -- → P5
Comment 3•7 years ago
|
||
-> WONTFIX, feel free to reopen.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•