Closed
Bug 373931
Opened 17 years ago
Closed 17 years ago
javascript integer overflow in memory allocation
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: msg, Assigned: mrbkap)
Details
(Whiteboard: [sg:nse] local exploit for js shell)
Attachments
(1 file, 1 obsolete file)
1.08 KB,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2 js.c ReadLine() exponentionally allocates it's read buffer. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: The various calculations around the size of the buffer desynchronize during read's. Bufsize can quickly wrap 0 and be vastly smaller then buflength causing a read past the heap chunk allocated. Use caution when allocating exponentially, this allocator will fail just after an allocation of 0x40000000 which is likely to be present on many systems.
Updated•17 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Comment 1•17 years ago
|
||
js.c is not part of any web browser or mail app, it's just a standalone testing shell. But it is (IIRC) shipped as part of openbsd, in /usr/bin/js. We should definitely fix this -- handing to crowder. Thanks for the report! Not sure this bug needs to be s-s. /be
Assignee: general → crowder
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•17 years ago
|
Summary: javascript intager overflow in memory allocation → javascript integer overflow in memory allocation
Updated•17 years ago
|
Group: security
Whiteboard: [sg:nse] local exploit for js shell
Assignee | ||
Comment 2•17 years ago
|
||
This seems like the easiest fix. I don't think that buflength can wrap faster than bufsize, since bufsize grows exponentially and buflength grows by a constant factor of 256 each time.
Comment 3•17 years ago
|
||
Comment on attachment 267215 [details] [diff] [review] Fix Doesn't fall back to slower growth in the overflow case, but I sincerely doubt it will matter for a long time.
Attachment #267215 -
Flags: review?(crowder) → review+
Assignee | ||
Comment 4•17 years ago
|
||
Oops, forgot to report error in the overflow case.
Attachment #267215 -
Attachment is obsolete: true
Assignee | ||
Comment 5•17 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•