Closed
Bug 355583
Opened 18 years ago
Closed 18 years ago
block object allows access to arbitrary stack slots
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: sync2d, Unassigned)
Details
(Keywords: crash, verified1.8.1, Whiteboard: [sg:critical] js1.7 fixed in bug 355590)
Attachments
(1 file)
2.46 KB,
text/plain
|
Details |
$ cat block-object-stack-access.txt (function() { let b = function(){}.__parent__; print(b[1] = throwError); })(); $ dbg.obj/js -v 170 block-object-stack-access.txt block-object-stack-access.txt:3: Error: This is an error You can read/write arbitrary interpreter stack slots.
Comment 1•18 years ago
|
||
I'm going to file a cover bug for this one, to hold the trunk patch so we can get it in as a standard conformance fix. Thanks for finding this -- __parent__ is not something that should leak lexical scope, let alone internal memory access! /be
Comment 2•18 years ago
|
||
Filed bug 355590 for public patching of this bug. Patch attached there is attachment 241369 [details] [diff] [review]. /be
Comment 3•18 years ago
|
||
Nominating this bug as blocking1.8.1* but the patch nominated for approval1.8.1 is over in bug 355590. Please don't mark a dependency on that bug. /be
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Flags: blocking1.9?
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Comment 4•18 years ago
|
||
Again, not in 1.8, fixed on 1.9 trunk in bug 355590. Still hoping to use that as the public bug and not link any s-s bug to it until we ship. /be
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.9?
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Resolution: --- → FIXED
Comment 5•18 years ago
|
||
Updated•18 years ago
|
Flags: in-testsuite+
Updated•18 years ago
|
Whiteboard: [sg:critical] js1.7 fixed in bug 355590
Updated•18 years ago
|
Keywords: fixed1.8.1
Comment 7•18 years ago
|
||
verified fixed 20061009 1.8 windows/linux/mac*, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Comment 8•18 years ago
|
||
Already fixed, clearing nomination flag; also clearing security flag per comment 4
Group: security
Flags: blocking1.8.1.1?
Comment 9•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-355583.js,v <-- regress-355583.js
You need to log in
before you can comment on or make changes to this bug.
Description
•