malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]

RESOLVED DUPLICATE of bug 294195

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 294195
13 years ago
7 years ago

People

(Reporter: Joshua Kwan, Unassigned)

Tracking

({crash, crashreportid})

Trunk
x86
Linux
crash, crashreportid
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

If the following code is executed on a page, Firefox will crash:

    function crash2(a) {
        return a.substring(0, 1);
    }
    function crash() {
        " ".replace(/( )/, crash2("$1"));
    }

Reproducible: Always

Steps to Reproduce:
1. Load up the page.
2. Watch FF crash and burn.

Actual Results:  
Segmentation fault. I can produce a coredump if necessary, but it looks like a
simple string-handling loophole is involved.

Expected Results:  
Not crashed.
Also crashs
 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527
Firefox/1.0+
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Firefox/1.0.4

Talkback ID TB6177846E
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527
Firefox/1.0+ ID:2005052704

confirmed

TB6177883K
Summary: malicious use of javascript 'substring' and 'replace' functions causes segfault → malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]
Keywords: crash, talkbackid
Created attachment 184710 [details]
talkback TB6177883K
looks identical to bug 294195

*** This bug has been marked as a duplicate of 294195 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Assignee: nobody → general
QA Contact: general → general
Crash Signature: [@ MSVCRT.DLL ]
You need to log in before you can comment on or make changes to this bug.