Closed
Bug 295734
Opened 19 years ago
Closed 19 years ago
malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 294195
People
(Reporter: joshk, Unassigned)
References
()
Details
(Keywords: crash, crashreportid)
Crash Data
Attachments
(1 file)
3.06 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) If the following code is executed on a page, Firefox will crash: function crash2(a) { return a.substring(0, 1); } function crash() { " ".replace(/( )/, crash2("$1")); } Reproducible: Always Steps to Reproduce: 1. Load up the page. 2. Watch FF crash and burn. Actual Results: Segmentation fault. I can produce a coredump if necessary, but it looks like a simple string-handling loophole is involved. Expected Results: Not crashed.
Comment 1•19 years ago
|
||
Also crashs Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527 Firefox/1.0+ and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050527 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Talkback ID TB6177846E
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050527 Firefox/1.0+ ID:2005052704 confirmed TB6177883K
Summary: malicious use of javascript 'substring' and 'replace' functions causes segfault → malicious use of javascript 'substring' and 'replace' functions causes segfault [@ MSVCRT.DLL ]
Updated•19 years ago
|
Keywords: crash,
talkbackid
Comment 3•19 years ago
|
||
Comment 4•19 years ago
|
||
looks identical to bug 294195 *** This bug has been marked as a duplicate of 294195 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Updated•19 years ago
|
Assignee: nobody → general
QA Contact: general → general
Updated•13 years ago
|
Crash Signature: [@ MSVCRT.DLL ]
You need to log in
before you can comment on or make changes to this bug.
Description
•