I had a proof of concept exploit for this vulnerability a month ago,
but it was lost due to HDD crash. bug 355478 have reminded me of it.
Created attachment 241357 [details]
Salvaged proof of concept exploit. works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:220.127.116.11pre)
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
FIREFOX caused an exception 03H in
module unknown at 0000:12030108
EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206
EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20
ECX=deadfeed DS=0167 ESI=1203008c FS=1987
EDX=deadfeed ES=0167 EDI=12030084 GS=0000
Bytes at CS:EIP:
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c
00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Marking this bug blocking; patch is in bug 355478.
Blocking for Fx2 RC3
Cover bug is fixed on the 1.8 branch.
Created attachment 241706 [details]
couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
bug 355478 has been checked into the 1.8.0 branch
20061016 trunk/1.8/1.8.0: verifying with shorter testcase.
Not applicable to the aviary/moz1.7 branch
This has been assigned CVE-2006-5747
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v <-- regress-355569.js
initial revision: 1.1