Closed Bug 308566 Opened 16 years ago Closed 16 years ago
Crash in strict mode on failed octal sequence
Currently, when faced with the attempted octal escape sequence; \260 (and similar) in strict mode, we refuse to treat it as an octal escape and instead generate a REOP_BACKREF to the paren match 0xFFFF. This paren doesn't exist, so we crash attempting to match against it. I'm marking this security sensitive, since I'm not sure that this isn't exploitable. This bug is what Bob has been seeing while trying out Igor's patches in bug 280769, so once this is fixed, we should be able to push those patches as-is into the tree. I'm still working on figuring out the most compatible handling of these "invalid" backrefs.
This patch seems to imitate what IE does.
Comment on attachment 196084 [details] [diff] [review] imitate IE Righteous. r+a=me. /be
Fix checked into trunk. I'll check this in on branch tomorrow.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Fix checked into MOZILLA_1_8_BRANCH.
*** Bug 308738 has been marked as a duplicate of this bug. ***
Opening bug per request from mrbkap.
Checking in regress-308566.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-308566.js,v <-- regress-308566.js initial revision: 1.1 done
Nominating for old branches because of the linkage to 280769, though they appear to be independent bugs.
Whiteboard: blocks 280769?
Haven't heard that this is required for bug 280769, minusing for old 1.7/aviary101 branches. Crash fix, fixed on trunk and the current 1.8 branch
verified fixed 1.9 20060818 windows/mac(ppc|tel)/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.