Closed Bug 320520 Opened 19 years ago Closed 19 years ago

js_ExpandErrorArguments(): jschar* arguments are not malloc'ed

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

VERIFIED INVALID

People

(Reporter: daumling, Unassigned)

Details

The JSErrorReport filled in by js_ExpandErrorArguments() expects all of its members to be allocated on the heap. If the arguments to the errors are jschar*, the pointers to the strings are copied instead of a copy being created. This leads to double free's, because callers of js_ExpandErrorArguments() free the report elements (in this case, report.messageArgs and its elements).
Status: NEW → ASSIGNED
Sorry, my fault - I should have read the sources more carefully. This bugs is invalid.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
For the record I tried auditing all users of js_ExpandErrorArguments when I wrote the patch for bug 319264.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.