The JSErrorReport filled in by js_ExpandErrorArguments() expects all of its members to be allocated on the heap. If the arguments to the errors are jschar*, the pointers to the strings are copied instead of a copy being created. This leads to double free's, because callers of js_ExpandErrorArguments() free the report elements (in this case, report.messageArgs and its elements).
Sorry, my fault - I should have read the sources more carefully. This bugs is invalid.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
For the record I tried auditing all users of js_ExpandErrorArguments when I wrote the patch for bug 319264.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.