Closed
Bug 1546300
Opened 5 years ago
Closed 5 years ago
Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at dist/include/mozilla/Casting.h:208
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla68
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | fixed |
People
(Reporter: decoder, Assigned: Waldo)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision b783cd5203ea (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):
let data = new Uint8Array([
104,97,108,101,6,0,255,255,95,98,
0,0,0,0,0,104,97,108,101,9,0,255,
255,95,98,115,0,0,0,0,0,0,65,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0
]);
let cloneBuffer = serialize(null);
cloneBuffer.clonebuffer = data.buffer;
deserialize(cloneBuffer);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 mozilla::AssertedCast<unsigned char, unsigned int> (aFrom=1701601640) at dist/include/mozilla/Casting.h:208
#1 JSStructuredCloneReader::startRead (this=this@entry=0x7fffffffc430, vp=...) at js/src/vm/StructuredClone.cpp:2465
#2 0x0000555555d20497 in JSStructuredCloneReader::read (this=this@entry=0x7fffffffc430, vp=vp@entry=...) at js/src/vm/StructuredClone.cpp:2906
#3 0x0000555555d20c33 in ReadStructuredClone (cx=<optimized out>, data=..., scope=scope@entry=JS::StructuredCloneScope::DifferentProcess, vp=..., cb=cb@entry=0x0, cbClosure=cbClosure@entry=0x0) at js/src/vm/StructuredClone.cpp:644
#4 0x0000555555d20d27 in JS_ReadStructuredClone (cx=<optimized out>, buf=..., version=version@entry=8, scope=scope@entry=JS::StructuredCloneScope::DifferentProcess, vp=..., vp@entry=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=0x0) at js/src/vm/StructuredClone.cpp:3034
#5 0x0000555555c72d68 in Deserialize (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:3222
#6 0x00005555558ef719 in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555c729b0 <Deserialize(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax 0x555557c87340 93825033335616
rbx 0x1 1
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x555556b507a0 93825015285664
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc290 140737488339600
rsp 0x7fffffffc1a0 140737488339360
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffc430 140737488340016
r13 0x7fffffffc1d0 140737488339408
r14 0xffff0006 4294901766
r15 0xffff0006656c6168 -281447505305240
rip 0x555555d1f6c7 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3031>
=> 0x555555d1f6c7 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3031>: movl $0x0,0x0
0x555555d1f6d2 <JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>)+3042>: ud2
Looking at the code, it seems that we are casing an uint32_t to uint8_t but we assert that the value was in range before (which it was not). I don't see how this could cause any security issues just from a first glance over the following code and it might be that we don't want to assert on this but instead just truncate the value.
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6f8d311064d9 user: Jeff Walden date: Tue Apr 02 02:07:50 2019 +0000 summary: Bug 1539690 - Make a JS::RegExpFlag public API for flag bits, and make a JS::RegExpFlags flag-set abstraction. r=sfink This iteration took 519.609 seconds to run.
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → jwalden
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•5 years ago
|
||
Updated•5 years ago
|
Priority: -- → P1
Pushed by jwalden@mit.edu: https://hg.mozilla.org/integration/mozilla-inbound/rev/ee5f7a9341cc Add a runtime check for structured-clone of RegExp flags not producing an invalid value, rather than merely asserting it. r=tcampbell
Comment 4•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1539690
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•