Closed
Bug 375711
Opened 18 years ago
Closed 18 years ago
"Assertion failure: c <= cs->length" [@ AddCharacterRangeToCharSet] with /[Q-b]/i
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(3 files, 2 obsolete files)
|
1.56 KB,
patch
|
crowderbt
:
review+
|
Details | Diff | Splinter Review |
|
1.56 KB,
patch
|
mrbkap
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
|
2.40 KB,
text/plain
|
Details |
js> /[Q-b]/i.exec("")
Assertion failure: c <= cs->length, at jsregexp.c:2219
Security-sensitive for now because the code involved is playing with bit arrays.
0 js 0x000c6904 JS_Assert + 70 (jsutil.c:60)
1 js 0x000aa9ec AddCharacterRangeToCharSet + 111 (jsregexp.c:2235)
2 js 0x000ab4ad ProcessCharSet + 2516 (jsregexp.c:2431)
3 js 0x000ae558 InitMatch + 636 (jsregexp.c:3320)
4 js 0x000ae752 js_ExecuteRegExp + 435 (jsregexp.c:3369)
5 js 0x000b02e7 regexp_exec_sub + 1047 (jsregexp.c:4121)
6 js 0x000b045b regexp_exec + 53 (jsregexp.c:4137)
7 js 0x000574f3 js_Invoke + 2954 (jsinterp.c:1353)
|
Assignee | |
Comment 1•18 years ago
|
||
We need to upcase before we deal with character ranges when calculating the bitmap size since that's what ProcessCharSet does.
|
|
Assignee | |
Comment 2•18 years ago
|
||
Attachment #260022 -
Attachment is obsolete: true
Attachment #260023 -
Flags: review?(crowder)
Attachment #260022 -
Flags: review?(crowder)
|
|
Assignee | |
Updated•18 years ago
|
Attachment #260022 -
Attachment description: Proposed fix → Wrong file
|
||
Comment 3•18 years ago
|
||
Comment on attachment 260023 [details] [diff] [review]
Right file
+ if (state->flags & JSREG_FOLD) {
+ c = JS_MAX(upcase((jschar)localMax), downcase((jschar)localMax));
House-style on casts would be |(jschar) localMax| (ie., with a space between cast closing-paren and the variable name, correct?
Attachment #260023 -
Flags: review?(crowder) → review+
|
|
Assignee | |
Comment 4•18 years ago
|
||
|
|
Assignee | |
Comment 5•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 6•18 years ago
|
||
Comment on attachment 260033 [details] [diff] [review]
Patch to check in
This fixes what I believe is a potentially-exploitable bug by simply moving existing code around.
Attachment #260033 -
Flags: review+
Attachment #260033 -
Flags: approval1.8.1.4?
Attachment #260033 -
Flags: approval1.8.0.12?
|
||
Comment 7•18 years ago
|
||
adding some branch nomination flags so it gets looked at after a bit of backing on the trunk
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Whiteboard: [sg:critical]
|
|
||
Comment 8•18 years ago
|
||
Comment on attachment 260033 [details] [diff] [review]
Patch to check in
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #260033 -
Flags: approval1.8.1.4?
Attachment #260033 -
Flags: approval1.8.1.4+
Attachment #260033 -
Flags: approval1.8.0.12?
Attachment #260033 -
Flags: approval1.8.0.12+
|
||
Comment 9•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
||
Comment 10•18 years ago
|
||
correct test name and bug number. I need a slurpee.
Attachment #260547 -
Attachment is obsolete: true
|
|
||
Comment 11•18 years ago
|
||
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical] → [sg:critical] needs branch landing
|
|
||
Comment 12•18 years ago
|
||
Blake: any chance you can check this in over the weekend once you're done with finals? We're planning on doing the branch RC1 builds on Monday (4/30)
|
|
||
Comment 14•18 years ago
|
||
verified fixed 1.8.0 1.8.1 1.9.0 windows/linux/mac* 20070427
Whiteboard: [sg:critical] needs branch landing → [sg:critical]
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Comment 15•18 years ago
|
||
/cvsroot/mozilla/js/tests/ecma_3/RegExp/regress-375711.js,v <-- regress-375711.js
initial revision: 1.1
|
||
Updated•14 years ago
|
Crash Signature: [@ AddCharacterRangeToCharSet]
You need to log in
before you can comment on or make changes to this bug.
Description
•