Hit MOZ_CRASH(setFromOverlappingTypedArray with a typed array with bogus type) at js/src/vm/TypedArrayObject-inl.h:759
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox127 | --- | disabled |
firefox128 | --- | disabled |
firefox129 | --- | fixed |
People
(Reporter: nils.bars, Assigned: dminor)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, reporter-external)
Attachments
(2 files)
Steps to reproduce:
Checkout commit 9fcc11127fbfbdc88cbf37489dac90542e141c77 and invoke the js shell as follows:
js --fuzzing-safe <test-case>
Actual results:
Hit MOZ_CRASH(setFromOverlappingTypedArray with a typed array with bogus type) at js/src/vm/TypedArrayObject-inl.h:759
Updated•12 days ago
|
Comment 1•12 days ago
|
||
Reduced test below. We're not handling Float16Array
in setFromOverlappingTypedArray
.
var ta1 = new Uint8Array(6);
var ta2 = new Float16Array(ta1.buffer);
ta1.set(ta2);
Updated•12 days ago
|
Comment 2•12 days ago
|
||
Set release status flags based on info from the regressing bug 1833647
Assignee | ||
Updated•12 days ago
|
Updated•12 days ago
|
Comment 3•12 days ago
|
||
Is this actually a security issue? It looks like we're hitting a release crash.
Assignee | ||
Comment 4•12 days ago
|
||
I don't think this is a sec issue, unless there are implications outside of the location of the crash. Jan, could we make this a non-sec bug?
Comment 5•12 days ago
|
||
Yes this is a safe crash.
Assignee | ||
Comment 6•12 days ago
|
||
Pushed by dminor@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c700d0b5a07c Support Float16Array in setFromOverlappingTypedArray; r=jandem
Comment 8•10 days ago
|
||
bugherder |
Comment 9•10 days ago
|
||
The patch landed in nightly and beta is affected.
:dminor, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox128
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 10•10 days ago
|
||
This was previously off by default on Nightly prior to Firefox 129.
Updated•10 days ago
|
Description
•