Last Comment Bug 368534 - ordering problem in script_toSource
: ordering problem in script_toSource
Status: RESOLVED FIXED
[sg:critical?] potential memory issue
: fixed1.8.0.10, fixed1.8.1.2, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Brian Crowder
:
Mentors:
Depends on:
Blocks: 367120
  Show dependency treegraph
 
Reported: 2007-01-28 22:53 PST by Brian Crowder
Modified: 2007-02-23 16:59 PST (History)
2 users (show)
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
check instanceof first (374 bytes, patch)
2007-01-28 22:53 PST, Brian Crowder
no flags Details | Diff | Splinter Review
with context (1.04 KB, patch)
2007-01-28 22:55 PST, Brian Crowder
brendan: review+
dveditz: approval1.8.1.2+
dveditz: approval1.8.0.10+
Details | Diff | Splinter Review

Description Brian Crowder 2007-01-28 22:53:20 PST
Created attachment 253142 [details] [diff] [review]
check instanceof first

I realized after checking it in that my recent patch introduced an ordering problem that was recommended in a review for a later patch.  Here's the fix.  I landed my broken-ness on both branches, of course.  Yay me.

This may not _itself_ be security-critical but it is a real bug, and is related to patches from security-critical bugs, so I have marked it security sensitive for now.  Bug 367120 is where I originally perpetrated my mayhem.
Comment 1 Brian Crowder 2007-01-28 22:55:13 PST
Created attachment 253143 [details] [diff] [review]
with context

Sorry for bugspam.
Comment 2 Daniel Veditz [:dveditz] 2007-01-28 23:48:38 PST
Comment on attachment 253143 [details] [diff] [review]
with context

a=dveditz for 1.8/1.8.0 branches
Comment 3 Brian Crowder 2007-01-29 00:38:05 PST
Trunk:
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.134; previous revision: 3.133
done

Moz-1.8:
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.22; previous revision: 3.79.2.21
done

Moz-1.8.0:
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.5.2.6; previous revision: 3.79.2.5.2.5
done
Comment 4 Brian Crowder 2007-02-09 13:12:35 PST
Adding taras to this bug as an example of a potentially statically-analyzable bad bug.  Basically, the ordering mistake here (getting the script pointer too early) allows the value conversion to destroy the referenced heap data, leaving you with a pointer into bogus memory.  I'm not sure if this really IS statically analyzable, but you might be able to posit some "lint-like" rules (the pointer returned by GetPrivate could be considered untrusted after a variety of JS routines run).

Note You need to log in before you can comment on or make changes to this bug.