Closed
Bug 311629
Opened 20 years ago
Closed 20 years ago
stack overflow (in UnaryExpr? )
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8rc1
People
(Reporter: Mook, Assigned: mrbkap)
Details
(Keywords: crash, verified1.8)
Attachments
(1 file)
|
805 bytes,
patch
|
mrbkap
:
review+
asa
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
Tested to occur on:
1.0.7 (Win32, release);
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007
Firefox/1.6a1
Steps to reproduce:
1. perl -e 'print "+ " x 60000 ;' > test.txt
1a. Somehow get a string of "+ " repeated 60 000 times otherwise :)
2. copy the contents of test.txt into the JS console and click on Evaluate
3. crash
Expected Results
Error in JS console, and not crash.
Actual Results.
Crash
Discussion:
This is remotely exploitable (crash also happens in <script> tags on content
pages). Dataloss, I guess.
First few lines of talkback: (TB10376057Q, TB10376528Q, TB10376612X)
GetChar [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c,
line 362]
js_GetToken
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscan.c, line 1294]
UnaryExpr
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
UnaryExpr
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 2764]
... etc. Same stack (different line numbers - 303/774/2592) for 1.0.7
(Thanks to Tonglebeak and ispiked on #firefox for the help)
|
Assignee | |
Comment 1•20 years ago
|
||
On IRC, #content,
[ brendan]: so r=me on the CHECK_RECURSION
|
|
Assignee | |
Updated•20 years ago
|
|
|
Assignee | |
Updated•20 years ago
|
Attachment #198894 -
Attachment description: Add a neede check → Add a needed check
|
||
Updated•20 years ago
|
Severity: normal → critical
|
||
Comment 2•20 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-311629.js,v <-- regress-311629.js
initial revision: 1.1
Flags: testcase+
|
||
Comment 3•20 years ago
|
||
Ideally safe fix for 1.8rc1. This should go on the trunk ASAP. Thanks,
/be
Flags: blocking1.8rc1+
|
|
Assignee | |
Comment 4•20 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Updated•20 years ago
|
Attachment #198894 -
Flags: approval1.8rc1?
|
||
Comment 5•20 years ago
|
||
Should this go on the 1.7/aviary branches as well?
|
|
||
Comment 6•20 years ago
|
||
(In reply to comment #5)
> Should this go on the 1.7/aviary branches as well?
Can't hurt, but it's not needed for security against remote exploit, or for XSS
or privacy protection -- just for DOS prevention.
/be
|
||
Updated•20 years ago
|
Attachment #198894 -
Flags: approval1.8rc1? → approval1.8rc1+
|
||
Comment 7•20 years ago
|
||
Blake, can you get this checked into the branch? Thanks.
|
|
Assignee | |
Updated•20 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
You need to log in
before you can comment on or make changes to this bug.
Description
•