Closed Bug 375711 Opened 17 years ago Closed 17 years ago

"Assertion failure: c <= cs->length" [@ AddCharacterRangeToCharSet] with /[Q-b]/i

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(3 files, 2 obsolete files)

js> /[Q-b]/i.exec("")
Assertion failure: c <= cs->length, at jsregexp.c:2219

Security-sensitive for now because the code involved is playing with bit arrays.

0   js 	0x000c6904 JS_Assert + 70 (jsutil.c:60)
1   js 	0x000aa9ec AddCharacterRangeToCharSet + 111 (jsregexp.c:2235)
2   js 	0x000ab4ad ProcessCharSet + 2516 (jsregexp.c:2431)
3   js 	0x000ae558 InitMatch + 636 (jsregexp.c:3320)
4   js 	0x000ae752 js_ExecuteRegExp + 435 (jsregexp.c:3369)
5   js 	0x000b02e7 regexp_exec_sub + 1047 (jsregexp.c:4121)
6   js 	0x000b045b regexp_exec + 53 (jsregexp.c:4137)
7   js 	0x000574f3 js_Invoke + 2954 (jsinterp.c:1353)
Attached patch Wrong file (obsolete) — Splinter Review
We need to upcase before we deal with character ranges when calculating the bitmap size since that's what ProcessCharSet does.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #260022 - Flags: review?(crowder)
Attached patch Right fileSplinter Review
Attachment #260022 - Attachment is obsolete: true
Attachment #260023 - Flags: review?(crowder)
Attachment #260022 - Flags: review?(crowder)
Attachment #260022 - Attachment description: Proposed fix → Wrong file
Comment on attachment 260023 [details] [diff] [review]
Right file

+        if (state->flags & JSREG_FOLD) {
+            c = JS_MAX(upcase((jschar)localMax), downcase((jschar)localMax));

House-style on casts would be |(jschar) localMax|  (ie., with a space between cast closing-paren and the variable name, correct?
Attachment #260023 - Flags: review?(crowder) → review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment on attachment 260033 [details] [diff] [review]
Patch to check in

This fixes what I believe is a potentially-exploitable bug by simply moving existing code around.
Attachment #260033 - Flags: review+
Attachment #260033 - Flags: approval1.8.1.4?
Attachment #260033 - Flags: approval1.8.0.12?
adding some branch nomination flags so it gets looked at after a bit of backing on the trunk
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Whiteboard: [sg:critical]
Comment on attachment 260033 [details] [diff] [review]
Patch to check in

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #260033 - Flags: approval1.8.1.4?
Attachment #260033 - Flags: approval1.8.1.4+
Attachment #260033 - Flags: approval1.8.0.12?
Attachment #260033 - Flags: approval1.8.0.12+
Flags: in-testsuite+
correct test name and bug number. I need a slurpee.
Attachment #260547 - Attachment is obsolete: true
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] → [sg:critical] needs branch landing
Blake: any chance you can check this in over the weekend once you're done with finals? We're planning on doing the branch RC1 builds on Monday (4/30)
Fixed on branches.
verified fixed 1.8.0 1.8.1 1.9.0 windows/linux/mac* 20070427
Whiteboard: [sg:critical] needs branch landing → [sg:critical]
Group: security
/cvsroot/mozilla/js/tests/ecma_3/RegExp/regress-375711.js,v  <--  regress-375711.js
initial revision: 1.1
Crash Signature: [@ AddCharacterRangeToCharSet]
You need to log in before you can comment on or make changes to this bug.