js_ExpandErrorArguments(): jschar* arguments are not malloc'ed

VERIFIED INVALID

Status

()

VERIFIED INVALID
13 years ago
13 years ago

People

(Reporter: daumling, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
The JSErrorReport filled in by js_ExpandErrorArguments() expects all of its members to be allocated on the heap. If the arguments to the errors are jschar*, the pointers to the strings are copied instead of a copy being created. This leads to double free's, because callers of js_ExpandErrorArguments() free the report elements (in this case, report.messageArgs and its elements).
(Reporter)

Updated

13 years ago
Status: NEW → ASSIGNED
(Reporter)

Comment 1

13 years ago
Sorry, my fault - I should have read the sources more carefully. This bugs is invalid.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
For the record I tried auditing all users of js_ExpandErrorArguments when I wrote the patch for bug 319264.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.