Closed Bug 368534 Opened 13 years ago Closed 13 years ago
ordering problem in script
I realized after checking it in that my recent patch introduced an ordering problem that was recommended in a review for a later patch. Here's the fix. I landed my broken-ness on both branches, of course. Yay me. This may not _itself_ be security-critical but it is a real bug, and is related to patches from security-critical bugs, so I have marked it security sensitive for now. Bug 367120 is where I originally perpetrated my mayhem.
Sorry for bugspam.
Attachment #253142 - Attachment is obsolete: true
Attachment #253143 - Flags: review?(brendan)
Attachment #253143 - Flags: approval184.108.40.206?
Attachment #253143 - Flags: approval220.127.116.11?
Attachment #253142 - Flags: review?(brendan)
Attachment #253142 - Flags: approval18.104.22.168?
Attachment #253142 - Flags: approval22.214.171.124?
Attachment #253143 - Flags: review?(brendan) → review+
Comment on attachment 253143 [details] [diff] [review] with context a=dveditz for 1.8/1.8.0 branches
Trunk: Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 3.134; previous revision: 3.133 done Moz-1.8: Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 126.96.36.199; previous revision: 188.8.131.52 done Moz-1.8.0: Checking in jsscript.c; /cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c new revision: 184.108.40.206.2.6; previous revision: 220.127.116.11.2.5 done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Adding taras to this bug as an example of a potentially statically-analyzable bad bug. Basically, the ordering mistake here (getting the script pointer too early) allows the value conversion to destroy the referenced heap data, leaving you with a pointer into bogus memory. I'm not sure if this really IS statically analyzable, but you might be able to posit some "lint-like" rules (the pointer returned by GetPrivate could be considered untrusted after a variety of JS routines run).
Whiteboard: [sg:nse] → [sg:critical?] potential memory issue
You need to log in before you can comment on or make changes to this bug.