If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

stack overflow (in UnaryExpr? )

VERIFIED FIXED in mozilla1.8rc1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: Mook, Assigned: mrbkap)

Tracking

({crash, verified1.8})

Trunk
mozilla1.8rc1
x86
Windows XP
crash, verified1.8
Points:
---
Bug Flags:
blocking1.8rc1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
Tested to occur on:
1.0.7 (Win32, release);
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007
Firefox/1.6a1

Steps to reproduce:
1. perl -e 'print "+ " x 60000 ;' > test.txt
  1a. Somehow get a string of "+ " repeated 60 000 times otherwise :)
2. copy the contents of test.txt into the JS console and click on Evaluate
3. crash

Expected Results
Error in JS console, and not crash.

Actual Results.
Crash

Discussion:
This is remotely exploitable (crash also happens in <script> tags on content
pages).  Dataloss, I guess.

First few lines of talkback: (TB10376057Q, TB10376528Q, TB10376612X)
GetChar  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c,
line 362]
js_GetToken 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c, line 1294]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
... etc.  Same stack (different line numbers - 303/774/2592) for 1.0.7

(Thanks to Tonglebeak and ispiked on #firefox for the help)
(Assignee)

Comment 1

12 years ago
Created attachment 198894 [details] [diff] [review]
Add a needed check

On IRC, #content,
[   brendan]: so r=me on the CHECK_RECURSION
(Assignee)

Updated

12 years ago
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #198894 - Flags: review+
(Assignee)

Updated

12 years ago
Attachment #198894 - Attachment description: Add a neede check → Add a needed check

Updated

12 years ago
Severity: normal → critical

Comment 2

12 years ago
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-311629.js,v  <--  regress-311629.js
initial revision: 1.1
Flags: testcase+
Ideally safe fix for 1.8rc1.  This should go on the trunk ASAP.  Thanks,

/be
Flags: blocking1.8rc1+
(Assignee)

Comment 4

12 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

12 years ago
Attachment #198894 - Flags: approval1.8rc1?
Should this go on the 1.7/aviary branches as well?
(In reply to comment #5)
> Should this go on the 1.7/aviary branches as well?

Can't hurt, but it's not needed for security against remote exploit, or for XSS
or privacy protection -- just for DOS prevention.

/be

Updated

12 years ago
Attachment #198894 - Flags: approval1.8rc1? → approval1.8rc1+

Comment 7

12 years ago
Blake, can you get this checked into the branch? Thanks.
(Assignee)

Comment 8

12 years ago
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
(Assignee)

Updated

12 years ago
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1

Comment 9

12 years ago
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8 → verified1.8

Comment 10

12 years ago
verified fixed 1.8.x and trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.