Closed Bug 373931 Opened 17 years ago Closed 17 years ago

javascript integer overflow in memory allocation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Other
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: msg, Assigned: mrbkap)

Details

(Whiteboard: [sg:nse] local exploit for js shell)

Attachments

(1 file, 1 obsolete file)

Fix
1.08 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2

js.c ReadLine() exponentionally allocates it's read buffer.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
The various calculations around the size of the buffer desynchronize during read's.  Bufsize can quickly wrap 0 and be vastly smaller then buflength causing a read past the heap chunk allocated.


Use caution when allocating exponentially, this allocator will fail just after an allocation of 0x40000000 which is likely to be present on many systems.
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
js.c is not part of any web browser or mail app, it's just a standalone testing shell. But it is (IIRC) shipped as part of openbsd, in /usr/bin/js. We should definitely fix this -- handing to crowder. Thanks for the report!

Not sure this bug needs to be s-s.

/be
Assignee: general → crowder
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: javascript intager overflow in memory allocation → javascript integer overflow in memory allocation
Group: security
Whiteboard: [sg:nse] local exploit for js shell
Attached patch Fix (obsolete) — Splinter Review 
This seems like the easiest fix. I don't think that buflength can wrap faster than bufsize, since bufsize grows exponentially and buflength grows by a constant factor of 256 each time.
Assignee: crowder → mrbkap
Status: NEW → ASSIGNED
Attachment #267215 - Flags: review?(crowder)
Comment on attachment 267215 [details] [diff] [review]
Fix

Doesn't fall back to slower growth in the overflow case, but I sincerely doubt it will matter for a long time.
Attachment #267215 - Flags: review?(crowder) → review+
Attached patch FixSplinter Review 
Oops, forgot to report error in the overflow case.
Attachment #267215 - Attachment is obsolete: true
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: