Closed
Bug 1919707
Opened 10 months ago
Closed 10 months ago
Off-by-one errors in src/shell/js.cpp
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
132 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | wontfix |
| firefox132 | --- | fixed |
People
(Reporter: jseward, Assigned: jseward)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
Running the shell with MOZ_LOG=wasmCodeMetaStats:3 (as introduced by bug
1911071) produces valgrind output
Invalid read of size 1
at 0x4C3B7B7: strstr (vg_replace_strmem.c:1814)
by 0x212497B: ParseLoggerOptions() (src/shell/js.cpp:428)
by 0x2127AFC: main (src/shell/js.cpp:12115)
Address 0x51fd176 is 0 bytes after a block of size 22 alloc'd
at 0x4C34EC8: calloc (vg_replace_malloc.c:1675)
by 0x2124910: ParseLoggerOptions() (src/shell/js.cpp:425)
by 0x2127AFC: main (src/shell/js.cpp:12115)
Invalid read of size 1
at 0x4C3B7D0: strstr (vg_replace_strmem.c:1814)
by 0x212497B: ParseLoggerOptions() (src/shell/js.cpp:428)
by 0x2127AFC: main (src/shell/js.cpp:12115)
Address 0x51fd113 is 0 bytes after a block of size 19 alloc'd
at 0x4C34EC8: calloc (vg_replace_malloc.c:1675)
by 0x2124809: ParseLoggerOptions() (src/shell/js.cpp:412)
by 0x2127AFC: main (src/shell/js.cpp:12115)
Invalid read of size 1
at 0x5019593: ____strtol_l_internal (strtol_l.c:449)
by 0x500CDE3: atoi (atoi.c:27)
by 0x21249DE: ParseLoggerOptions() (src/shell/js.cpp:436)
by 0x2127AFC: main (src/shell/js.cpp:12115)
Address 0x51fd113 is 0 bytes after a block of size 19 alloc'd
at 0x4C34EC8: calloc (vg_replace_malloc.c:1675)
by 0x2124809: ParseLoggerOptions() (src/shell/js.cpp:412)
by 0x2127AFC: main (src/shell/js.cpp:12115)
There are two callocs where the allocated size is strlen(c-style-string)
and I think it needs to be strlen(..) + 1.
This is hardly a sec-bug .. please declassify as appropriate.
|
||
Comment 1•10 months ago
|
||
Set release status flags based on info from the regressing bug 1904429
:mgaudet, since you are the author of the regressor, bug 1904429, could you take a look?
For more information, please visit BugBot documentation.
status-firefox130:
--- → unaffected
status-firefox131:
--- → affected
status-firefox132:
--- → affected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Flags: needinfo?(mgaudet)
|
Assignee | |
Comment 2•10 months ago
|
||
This patch fixes a couple of off-by-one errors in the parsing of
MOZ_LOG strings in the JS shell.
|
||
Updated•10 months ago
|
Assignee: nobody → jseward
Status: NEW → ASSIGNED
|
||
Comment 3•10 months ago
|
||
This is not a sec bug (shell only, requires environment variable)... trying to declassify and failing tho.
Blocks: sm-js-log
Flags: needinfo?(mgaudet)
|
||
Updated•10 months ago
|
Group: core-security
|
|
||
Comment 4•10 months ago
|
||
Thanks Ryan!
Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2a3a646662b6
Off-by-one errors in src/shell/js.cpp. r=mgaudet.
|
||
Comment 6•10 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
|
|
||
Updated•10 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•