Closed Bug 295734 Opened 21 years ago Closed 21 years ago

malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 294195

People

(Reporter: joshk, Unassigned)

References

()

Details

(Keywords: crash, crashreportid)

Crash Data

Attachments

(1 file)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) If the following code is executed on a page, Firefox will crash: function crash2(a) { return a.substring(0, 1); } function crash() { " ".replace(/( )/, crash2("$1")); } Reproducible: Always Steps to Reproduce: 1. Load up the page. 2. Watch FF crash and burn. Actual Results: Segmentation fault. I can produce a coredump if necessary, but it looks like a simple string-handling loophole is involved. Expected Results: Not crashed.
Also crashs Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527 Firefox/1.0+ and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Talkback ID TB6177846E
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527 Firefox/1.0+ ID:2005052704 confirmed TB6177883K
Summary: malicious use of javascript 'substring' and 'replace' functions causes segfault → malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]
looks identical to bug 294195 *** This bug has been marked as a duplicate of 294195 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Assignee: nobody → general
QA Contact: general → general
Crash Signature: [@ MSVCRT.DLL ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: