Closed
Bug 1831232
Opened 1 year ago
Closed 1 year ago
AddressSanitizer: heap-buffer-overflow [@JSRope::flatten] or Assertion failure: pos == wholeChars + wholeLength, at vm/StringType.cpp:867
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
DUPLICATE
of bug 1830921
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox112 | --- | unaffected |
firefox113 | --- | unaffected |
firefox114 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords)
Attachments
(1 file)
2.51 KB,
text/plain
|
Details |
gczeal(4);
x = [0, 0, 0, 0, 0];
for (let i = 0; i < 5; ++i) {
for (let j = 0; j < x[i]; ++j) {}
}
gczeal(0);
let y = [];
for (let k = 0; k < 9999; ++k) {
try {
throw z;
} catch (e) {
y.push("" + e);
}
}
print(y);
=================================================================
==31413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000095ac0 at pc 0x5590b371b053 bp 0x7fff968486c0 sp 0x7fff968486b8
WRITE of size 8 at 0x603000095ac0 thread T0
#0 0x5590b371b052 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/mozilla/PodOperations.h:88:3
#1 0x5590b371b052 in void mozilla::PodCopy<unsigned char>(unsigned char*, unsigned char const*, unsigned long) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/mozilla/PodOperations.h:106:7
#2 0x5590b371b052 in void js::CopyChars<unsigned char>(unsigned char*, JSLinearString const&) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:584:5
#3 0x5590b37427d2 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSRope*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:819:3
#4 0x5590b371b341 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0>() /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:676:10
#5 0x5590b371b341 in JSRope::flattenInternal() /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:667:10
#6 0x5590b371b341 in JSRope::flatten(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:654:25
#7 0x5590b30ae905 in JSString::ensureLinear(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.h:1747:46
#8 0x5590b30ae905 in js::StringBuffer::append(JSString*) /home/skygentoo/trees/mozilla-central/js/src/util/StringBuffer.h:479:33
#9 0x5590b30ae905 in bool ArrayJoinDenseKernel<js::array_join(JSContext*, unsigned int, JS::Value*)::$_1>(JSContext*, js::array_join(JSContext*, unsigned int, JS::Value*)::$_1, JS::Handle<js::NativeObject*>, unsigned long, js::StringBuffer&, unsigned int*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1167:15
#10 0x5590b30ae905 in bool ArrayJoinKernel<js::array_join(JSContext*, unsigned int, JS::Value*)::$_1>(JSContext*, js::array_join(JSContext*, unsigned int, JS::Value*)::$_1, JS::Handle<JSObject*>, unsigned long, js::StringBuffer&) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1214:10
#11 0x5590b30ad6be in js::array_join(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1350:12
#12 0x5590b300f3e7 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:486:13
#13 0x5590b300f3e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:580:12
#14 0x5590b302ed5a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#15 0x5590b302ed5a in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:652:10
#16 0x5590b302ed5a in js::Interpret(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:3395:16
#17 0x5590b300dfd5 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:400:10
#18 0x5590b300dfd5 in js::RunScript(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:458:13
#19 0x5590b300f54e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:612:13
#20 0x5590b3011220 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#21 0x5590b3011220 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:679:8
#22 0x5590b342907c in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:109:10
#23 0x5590b342907c in MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2291:10
#24 0x5590b3427597 in JS::OrdinaryToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2356:12
#25 0x5590b3429f1d in js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2452:10
#26 0x5590b3739c8d in js::ToPrimitive(JSContext*, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.h:750:10
#27 0x5590b3739c8d in JSString* js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2213:10
#28 0x5590b2d69228 in JS::ToString(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/js/Conversions.h:262:10
#29 0x5590b2d69228 in PrintInternal(JSContext*, JS::CallArgs const&, js::shell::RCFile*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:2953:26
#30 0x5590b2d68edd in Print(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:2982:10
#31 0x5590b300f3e7 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:486:13
#32 0x5590b300f3e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:580:12
#33 0x5590b456db22 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1591:10
#34 0x39c8b3877e6b (<unknown module>)
0x603000095ac0 is located 0 bytes after 32-byte region [0x603000095aa0,0x603000095ac0)
allocated by thread T0 here:
#0 0x5590b2cde78e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x5590b37425d0 in js_arena_malloc(unsigned long, unsigned long) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/js/Utility.h:366:10
#2 0x5590b37425d0 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/js/Utility.h:576:26
#3 0x5590b37425d0 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:57:12
#4 0x5590b37425d0 in unsigned char* js::MallocProvider<JS::Zone>::pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:109:12
#5 0x5590b37425d0 in bool AllocChars<unsigned char>(JSString*, unsigned long, unsigned char**, unsigned long*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:449:20
#6 0x5590b37425d0 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSRope*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:766:10
#7 0x5590b371b341 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0>() /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:676:10
#8 0x5590b371b341 in JSRope::flattenInternal() /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:667:10
#9 0x5590b371b341 in JSRope::flatten(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:654:25
#10 0x5590b30ae905 in JSString::ensureLinear(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.h:1747:46
#11 0x5590b30ae905 in js::StringBuffer::append(JSString*) /home/skygentoo/trees/mozilla-central/js/src/util/StringBuffer.h:479:33
#12 0x5590b30ae905 in bool ArrayJoinDenseKernel<js::array_join(JSContext*, unsigned int, JS::Value*)::$_1>(JSContext*, js::array_join(JSContext*, unsigned int, JS::Value*)::$_1, JS::Handle<js::NativeObject*>, unsigned long, js::StringBuffer&, unsigned int*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1167:15
#13 0x5590b30ae905 in bool ArrayJoinKernel<js::array_join(JSContext*, unsigned int, JS::Value*)::$_1>(JSContext*, js::array_join(JSContext*, unsigned int, JS::Value*)::$_1, JS::Handle<JSObject*>, unsigned long, js::StringBuffer&) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1214:10
#14 0x5590b30ad6be in js::array_join(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1350:12
#15 0x5590b300f3e7 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:486:13
#16 0x5590b300f3e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:580:12
#17 0x5590b302ed5a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#18 0x5590b302ed5a in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:652:10
#19 0x5590b302ed5a in js::Interpret(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:3395:16
#20 0x5590b300dfd5 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:400:10
#21 0x5590b300dfd5 in js::RunScript(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:458:13
#22 0x5590b300f54e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:612:13
#23 0x5590b3011220 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#24 0x5590b3011220 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:679:8
#25 0x5590b342907c in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:109:10
#26 0x5590b342907c in MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2291:10
#27 0x5590b3427597 in JS::OrdinaryToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2356:12
#28 0x5590b3429f1d in js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2452:10
#29 0x5590b3739c8d in js::ToPrimitive(JSContext*, JSType, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.h:750:10
#30 0x5590b3739c8d in JSString* js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType) /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2213:10
#31 0x5590b2d69228 in JS::ToString(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/js/Conversions.h:262:10
#32 0x5590b2d69228 in PrintInternal(JSContext*, JS::CallArgs const&, js::shell::RCFile*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:2953:26
#33 0x5590b2d68edd in Print(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:2982:10
#34 0x5590b300f3e7 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:486:13
#35 0x5590b300f3e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:580:12
#36 0x5590b456db22 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1591:10
#37 0x39c8b3877e6b (<unknown module>)
#38 0x39c8b387d845 (<unknown module>)
#39 0x39c8b38860d4 (<unknown module>)
#40 0x39c8b38754ed (<unknown module>)
#41 0x5590b45868bd in EnterBaseline(JSContext*, EnterJitData&) /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineJIT.cpp:143:5
#42 0x5590b45868bd in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineJIT.cpp:199:26
#43 0x5590b3036453 in js::Interpret(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:2252:17
#44 0x5590b300dfd5 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:400:10
#45 0x5590b300dfd5 in js::RunScript(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:458:13
#46 0x5590b3014033 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:845:13
#47 0x5590b3014033 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:877:10
#48 0x5590b3277d65 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:472:10
#49 0x5590b327815b in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:496:10
#50 0x5590b2dba929 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1098:10
#51 0x5590b2db9c7b in Process(JSContext*, char const*, bool, FileKind) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-f99ee8082b68/objdir-js/dist/include/mozilla/PodOperations.h:88:3 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*)
Shadow bytes around the buggy address:
0x603000095800: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x603000095880: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x603000095900: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x603000095980: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x603000095a00: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x603000095a80: 00 00 fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa
0x603000095b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000095b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000095c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000095c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000095d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31413==ABORTING
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3d30e9fc410e
user: Jon Coppeard
date: Thu Apr 27 10:46:07 2023 +0000
summary: Bug 1829896 - Part 3: Simplify nursery allocation conditions by using a single flag for each thing kind r=sfink
Run with --fuzzing-safe --no-threads
, compile with AR=ar sh ./configure --enable-debug --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests
, tested on m-c rev f99ee8082b68.
Not sure if this is s-s, I'd leave it to Jon/Steve.
Flags: sec-bounty?
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•1 year ago
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1829896
status-firefox112:
--- → unaffected
status-firefox113:
--- → unaffected
status-firefox-esr102:
--- → unaffected
Comment 3•1 year ago
|
||
I haven't had a chance to look into this yet but it could well be the same issue as bug 1830921.
Updated•1 year ago
|
Group: core-security → javascript-core-security
Comment 4•1 year ago
|
||
Thanks for the reduced testcase.
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1830921
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Comment 5•1 year ago
|
||
The duplicate bug was filed outside the 4-day trunk bounty-exclusion range, and this bug falls within the duplicate window and so is eligible for a split bounty. The severity of this bug is unclear in practice, unfortunately.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate
Updated•1 year ago
|
Group: javascript-core-security
Reporter | ||
Updated•6 months ago
|
Blocks: gkw-js-fuzzing
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•