Closed Bug 1476409 Opened 6 years ago Closed 6 years ago

Fix a case where we could accidentally overrun by one source text currently being tokenized

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: Waldo, Assigned: Waldo)

References

Details

Attachments

(1 file)

Patch
4.52 KB, patch
arai
: review+
Details | Diff | Splinter Review 
This is not a security concern, just an assertion failure.

Immediately after the bad line we proceed to call |getCodeUnit()| which has a bounds-check that was conservatively written as |ptr >= limit_| and will cause that call to return EOF, so we'll stop just fine.

The single-code-unit overread is of course not good, but it too shouldn't cause issues -- except maybe extraordinarily rarely.  We can trigger the assertion above *only* if the next code unit is '\n', which can be guaranteed using a two-byte dependent string, but then we're reading from known valid memory.  Otherwise the only way to hit it is if it *happens* the script text gets allocated by the embedder such that the next code unit after it is in unallocated memory -- but then either you read something not-'\n' and don't overrun, or you read '\n' and fall into safe code as noted above.  Or the memory is totally unallocated and you safely pagefault.

This test at least will detect the assertion in the dependent-string case.  Short of a shell helper to set up memory *just so* to trigger the next-code-unit-is-unallocated case, this is the most a testcase can do.  And that's either good enough, or overkill anyway.
Attached patch PatchSplinter Review 

        Attachment #8992755 -
        Flags: review?(arai.unmht)

        Attachment #8992755 -
        Flags: review?(arai.unmht) → review+

    
    

    
  
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0e23f233f5cf
Fix a case where during tokenization we could overread source text by one code unit -- but safely, due to conservatively-written subsequent code.  r=arai

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/0e23f233f5cf
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox63:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: