Open Bug 1900525 Opened 11 months ago Updated 5 months ago

Assertion failure: inputSizeChecked.isValid(), at mfbt/Compression.cpp:25

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox-esr115

---

unaffected

firefox126

---

wontfix

firefox127

---

wontfix

firefox128

---

wontfix

firefox129

---

wontfix

People

(Reporter: sm-bugs, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

input_size_checked_01.js 11 months ago Nils Bars 188 bytes, text/plain		Details

Nils Bars

Reporter

Description

•

11 months ago

Attached file input_size_checked_01.js — Details

Steps to reproduce:

Checkout commit d9496bfef09039b2642da45585ca821c36917c6d and invoke the js shell as follows:

./js-spidermonkey-shell --fast-warmup --fuzzing-safe input_size_checked_01.js

Actual results:

Assertion failure: inputSizeChecked.isValid(), at mfbt/Compression.cpp:25

Nils Bars

Reporter

Updated

•

11 months ago

Group: firefox-core-security → core-security

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

Version: Firefox 125 → Trunk

Jan de Mooij [:jandem]

Comment 1

•

11 months ago

This looks like a problem with the compressLZ4 shell function. We probably need to ensure the size doesn't overflow INT32_MAX. Not security-sensitive if it only affects the shell function.

Flags: needinfo?(bvisness)

Keywords: regression

Regressed by: 1856635

Jan de Mooij [:jandem]

Updated

•

11 months ago

Status: UNCONFIRMED → NEW

Ever confirmed: true

BugBot [:suhaib / :marco/ :calixte]

Comment 2

•

11 months ago

Set release status flags based on info from the regressing bug 1856635

status-firefox126: --- → affected

status-firefox127: --- → affected

status-firefox128: --- → affected

status-firefox-esr115: --- → unaffected

Yury Delendik (:yury)

Updated

•

11 months ago

Updated

•

11 months ago

Group: core-security → javascript-core-security

Ryan VanderMeulen [:RyanVM]

Updated

•

11 months ago

status-firefox126: affected → wontfix

status-firefox127: affected → wontfix

Nicolas B. Pierron [:nbp]

Updated

•

11 months ago

Blocks: sm-shell

Severity: -- → S4

Priority: -- → P3

Andrew McCreight [:mccr8]

Updated

•

11 months ago

Attachment #9405436 - Attachment mime type: application/x-javascript → application/text-plain

Andrew McCreight [:mccr8]

Updated

•

11 months ago

Attachment #9405436 - Attachment mime type: application/text-plain → text/plain

Ben Visness [:bvisness]

Comment 3

•

11 months ago

This only affects the JS shell and therefore is not a security issue.

Flags: needinfo?(bvisness)

Jan de Mooij [:jandem]

Updated

•

11 months ago

Group: javascript-core-security

BugBot [:suhaib / :marco/ :calixte]

Comment 4

•

11 months ago

Set release status flags based on info from the regressing bug 1856635

status-firefox129: --- → affected

Liz Henry (:lizzard) (relman/hg->git project)

Updated

•

11 months ago

status-firefox128: affected → wontfix

status-firefox129: affected → fix-optional

Nils Bars

Reporter

Updated

•

10 months ago

Blocks: 1903968

Ryan VanderMeulen [:RyanVM]

Updated

•

5 months ago

status-firefox129: fix-optional → wontfix

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: inputSizeChecked.isValid(), at mfbt/Compression.cpp:25

Categories

(Core :: JavaScript Engine, defect, P3)

Tracking

()

People

(Reporter: sm-bugs, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Comment 2

Updated

Updated

Updated

Updated

Updated

Updated

Comment 3

Updated

Comment 4

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type