Closed Bug 308566 Opened 16 years ago Closed 16 years ago

Crash in strict mode on failed octal sequence

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

(Keywords: crash, verified1.8, Whiteboard: blocks 280769?)

Attachments

(1 file)

imitate IE
2.50 KB, patch
brendan
: review+
brendan
: approval1.8b5+
Details | Diff | Splinter Review 
Currently, when faced with the attempted octal escape sequence; \260 (and
similar) in strict mode, we refuse to treat it as an octal escape and instead
generate a REOP_BACKREF to the paren match 0xFFFF. This paren doesn't exist, so
we crash attempting to match against it.

I'm marking this security sensitive, since I'm not sure that this isn't
exploitable. This bug is what Bob has been seeing while trying out Igor's
patches in bug 280769, so once this is fixed, we should be able to push those
patches as-is into the tree.

I'm still working on figuring out the most compatible handling of these
"invalid" backrefs.
Attached patch imitate IESplinter Review 
This patch seems to imitate what IE does.
Attachment #196084 - Flags: review?(brendan)
Comment on attachment 196084 [details] [diff] [review]
imitate IE

Righteous.  r+a=me.

/be
Attachment #196084 - Flags: review?(brendan)
Attachment #196084 - Flags: review+
Attachment #196084 - Flags: approval1.8b5+
Flags: blocking1.8b5+
Fix checked into trunk. I'll check this in on branch tomorrow.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Fix checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
*** Bug 308738 has been marked as a duplicate of this bug. ***
Opening bug per request from mrbkap.
Group: security
Checking in regress-308566.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-308566.js,v  <--  regress-308566.js
initial revision: 1.1
done
Flags: testcase+
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
Nominating for old branches because of the linkage to 280769, though they appear to be independent bugs.
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: blocks 280769?
Haven't heard that this is required for bug 280769, minusing for old 1.7/aviary101 branches. Crash fix, fixed on trunk and the current 1.8 branch
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
verified fixed 1.9 20060818 windows/mac(ppc|tel)/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.