295734 - malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]

Status: RESOLVED DUPLICATE of bug 294195

(Core :: JavaScript Engine, defect)

Description

[Joshua Kwan]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

If the following code is executed on a page, Firefox will crash:

    function crash2(a) {
        return a.substring(0, 1);
    }
    function crash() {
        " ".replace(/( )/, crash2("$1"));
    }

Reproducible: Always

Steps to Reproduce:
1. Load up the page.
2. Watch FF crash and burn.

Actual Results:  
Segmentation fault. I can produce a coredump if necessary, but it looks like a
simple string-handling loophole is involved.

Expected Results:  
Not crashed.

Comment 1

[Carsten Book [:Tomcat]]

Also crashs
 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527
Firefox/1.0+
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Firefox/1.0.4

Talkback ID TB6177846E

Comment 2

[Peter van der Woude [:Peter6]]

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527
Firefox/1.0+ ID:2005052704

confirmed

TB6177883K

Comment 3

[Peter van der Woude [:Peter6]]

Attachment: talkback TB6177883K

Comment 4

[Christian :Biesinger (don't email me, ping me on IRC)]

looks identical to bug 294195

*** This bug has been marked as a duplicate of 294195 ***