Closed Bug 305190 Opened 20 years ago Closed 20 years ago

dup: integer overflow in js

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 303213

People

(Reporter: guninski, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) KHTML/3.3.2 (like Gecko) Build Identifier: Bug 303213 Opened: 2005-08-03 02:56 PDT there are 2 integer overflows in jsstr.c js_str_escape. there is chance of exploitability with favorable heap layout or eventually if possible race with another thread. expoloitation is not trivial. (gdb) break jsstr.c:366 Breakpoint 1 at 0xb7fbe6ee: file /opt/firefox-cvs/mozilla/js/src/jsstr.c, line 366. (gdb) cont Breakpoint 1, js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1, argv=0x94808d4, rval=0x73f46008) at /opt/firefox-cvs/mozilla/js/src/jsstr.c:366 366 newchars = (jschar *) JS_malloc(cx, (newlength + 1) * sizeof(jschar)); (gdb) p/x length $1 = 0x15800000 (gdb) p/x newlength $2 = 0x81000000 (gdb) p/x (newlength + 1) * sizeof(jschar) $3 = 0x2000002 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0xb7fbe7d2 in js_str_escape (cx=0x92e1770, obj=0x9012d68, argc=1, argv=0xa1f33008, rval=0x30) at /opt/firefox-cvs/mozilla/js/src/jsstr.c:383 383 newchars[ni++] = digits[ch >> 12]; Leave as RESOLVED FIXED Reproducible: Always Steps to Reproduce: 1. http://www.guninski.com/mozbugs/esc1.html 2. http://www.guninski.com/mozbugs/esc2.html
*** This bug has been marked as a duplicate of 303213 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
ironically, according to the wild web, this used to crash safari
You need to log in before you can comment on or make changes to this bug.