Closed
Bug 305190
Opened 19 years ago
Closed 19 years ago
dup: integer overflow in js
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 303213
People
(Reporter: guninski, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) KHTML/3.3.2 (like Gecko) Build Identifier: Bug 303213 Opened: 2005-08-03 02:56 PDT there are 2 integer overflows in jsstr.c js_str_escape. there is chance of exploitability with favorable heap layout or eventually if possible race with another thread. expoloitation is not trivial. (gdb) break jsstr.c:366 Breakpoint 1 at 0xb7fbe6ee: file /opt/firefox-cvs/mozilla/js/src/jsstr.c, line 366. (gdb) cont Breakpoint 1, js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1, argv=0x94808d4, rval=0x73f46008) at /opt/firefox-cvs/mozilla/js/src/jsstr.c:366 366 newchars = (jschar *) JS_malloc(cx, (newlength + 1) * sizeof(jschar)); (gdb) p/x length $1 = 0x15800000 (gdb) p/x newlength $2 = 0x81000000 (gdb) p/x (newlength + 1) * sizeof(jschar) $3 = 0x2000002 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0xb7fbe7d2 in js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1, argv=0xa1f33008, rval=0x30) at /opt/firefox-cvs/mozilla/js/src/jsstr.c:383 383 newchars[ni++] = digits[ch >> 12]; Leave as RESOLVED FIXED Reproducible: Always Steps to Reproduce: 1. http://www.guninski.com/mozbugs/esc1.html 2. http://www.guninski.com/mozbugs/esc2.html
Reporter | ||
Comment 1•19 years ago
|
||
*** This bug has been marked as a duplicate of 303213 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•16 years ago
|
||
ironically, according to the wild web, this used to crash safari
You need to log in
before you can comment on or make changes to this bug.
Description
•