Closed Bug 291213 Opened 19 years ago Closed 19 years ago

crash in args_resolve enumerating |arguments|

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: dbaron, Assigned: brendan)

References

Details

(Keywords: js1.5, Whiteboard: [sg:fix])

Attachments

(3 files)

crash testcase
773 bytes, text/html; charset=UTF-8
Details
trunk patch to fix this bug
3.69 KB, patch
shaver
: review+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
branch version of patch for testing
3.57 KB, patch
Details | Diff | Splinter Review 
I'm marking this security-sensitive since the testcase is a slight variant of a
testcase for a security bug (bug 290908), and I want to get it filed and don't
have a chance to simplify the testcase to something that doesn't show or point
to security problems (the latter might be hard; I'm not sure).  This bug should
be opened whenever bug 290908 is opened.

The crash is here:

434                     value = fp->argv ? fp->argv[-2]
435                                      : OBJECT_TO_JSVAL(fp->fun->object);
(gdb) p fp->argv
$4 = (jsval *) 0x0
(gdb) p fp->fun
$5 = (JSFunction *) 0x0

with the stack:

#0  0xb7c14e99 in args_resolve (cx=0x85cd628, obj=0x86a46a8, id=135412592,
flags=4, objp=0xbfffcf48)
    at /builds/trunk/mozilla/js/src/jsfun.c:434
#1  0xb7c38e7e in js_LookupPropertyWithFlags (cx=0x85cd628, obj=0x86a46a8,
id=135412592, flags=4,
    objp=0xbfffcfd4, propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2521
#2  0xb7c393ac in js_LookupProperty (cx=0x85cd628, obj=0x86a46a8, id=135412592,
objp=0xbfffcfd4,
    propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2426
#3  0xb7c14f4c in args_enumerate (cx=0x85cd628, obj=0x86a46a8)
    at /builds/trunk/mozilla/js/src/jsfun.c:487
#4  0xb7c3c7d7 in js_Enumerate (cx=0x85cd628, obj=0x86a46a8,
enum_op=JSENUMERATE_INIT,
    statep=0xbfffd268, idp=0x0) at /builds/trunk/mozilla/js/src/jsobj.c:3275
#5  0xb7c29764 in js_Interpret (cx=0x85cd628, pc=0x86cebaa "h", result=0xbfffd350)
    at /builds/trunk/mozilla/js/src/jsinterp.c:2399
#6  0xb7c2e7dd in js_Execute (cx=0x85cd628, chain=0x85b13a8, script=0x86ceb68,
down=0xbfffd7d0,
    flags=0, result=0x0) at /builds/trunk/mozilla/js/src/jsinterp.c:1550
#7  0xb7c59ec0 in script_exec (cx=0x85cd628, obj=0x86a4168, argc=0,
argv=0xbfffd7d0, rval=0xbfffd480)
    at /builds/trunk/mozilla/js/src/jsscript.c:308
Whiteboard: [sg:fix] keep confidential until 290908 opened
Assignee: general → brendan
Keywords: js1.5
Status: NEW → ASSIGNED
Flags: blocking1.8b2+
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta2
This fixes this bug, and bug 293839.

/be
Attachment #183337 - Flags: review?(shaver)
Attachment #183337 - Flags: approval1.8b2+
*** Bug 293839 has been marked as a duplicate of this bug. ***
Comment on attachment 183337 [details] [diff] [review]
trunk patch to fix this bug

r=shaver
Attachment #183337 - Flags: review?(shaver) → review+
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Group: security
Flags: testcase?
Whiteboard: [sg:fix] keep confidential until 290908 opened → [sg:fix]
Checking in regress-291213.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-291213.js,v  <--  regress-291213.js
initial revision: 1.1
Flags: testcase? → testcase+
verified fixed 1.9 20060818
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: