Closed Bug 305190 Opened 19 years ago Closed 19 years ago

dup: integer overflow in js

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 303213

People

(Reporter: guninski, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.3; Linux) KHTML/3.3.2 (like Gecko)
Build Identifier: 

Bug 303213   
Opened: 2005-08-03 02:56 PDT    
there are 2 integer overflows in jsstr.c js_str_escape.   
   
there is chance of exploitability with favorable heap layout or eventually if   
possible race with another thread. expoloitation is not trivial.   
   
(gdb) break jsstr.c:366   
Breakpoint 1 at 0xb7fbe6ee: file /opt/firefox-cvs/mozilla/js/src/jsstr.c, line   
366.   
(gdb) cont   
Breakpoint 1, js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1,    
    argv=0x94808d4, rval=0x73f46008)   
    at /opt/firefox-cvs/mozilla/js/src/jsstr.c:366   
366         newchars = (jschar *) JS_malloc(cx, (newlength + 1) *   
sizeof(jschar));   
(gdb) p/x length   
$1 = 0x15800000   
(gdb) p/x newlength   
$2 = 0x81000000   
(gdb) p/x (newlength + 1) * sizeof(jschar)   
$3 = 0x2000002   
(gdb) cont   
Continuing.   
   
Program received signal SIGSEGV, Segmentation fault.   
0xb7fbe7d2 in js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1,    
    argv=0xa1f33008, rval=0x30) at /opt/firefox-cvs/mozilla/js/src/jsstr.c:383   
383                 newchars[ni++] = digits[ch >> 12];   
   
  
Leave as RESOLVED FIXED    
 
 

Reproducible: Always

Steps to Reproduce:
1. http://www.guninski.com/mozbugs/esc1.html 
2. http://www.guninski.com/mozbugs/esc2.html

*** This bug has been marked as a duplicate of 303213 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
ironically, according to the wild web, this used to crash safari
You need to log in before you can comment on or make changes to this bug.