Closed
Bug 480943
Opened 16 years ago
Closed 16 years ago
access violation in js3250 when parsing crafted JS
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 368224
People
(Reporter: david.maciejak, Unassigned)
Details
Attachments
(1 file)
|
89 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Hi,
got a reading access violation when trying to read some javascript, I have isolated the problem and providing the poc in the "steps to reproduce" part.
When adding some extra code seems we can change the crash address.
The issue does not occurs in Firefox 3.x.
Regards,
David Maciejak of Fortinet's FortiGuard Global Security Research Team
Reproducible: Always
Steps to Reproduce:
1. save the code below in a file (or open the file enclosed)
<html>
<body>
<script>
function anon() {({a:[x]})= #0={}}
</script>
</body>
</html>
2.open the file in the browser
Actual Results:
browser is crashing
Expected Results:
browser should not crash
|
Reporter | |
Comment 1•16 years ago
|
||
|
||
Updated•16 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.8 Branch
|
||
Comment 2•16 years ago
|
||
When running this testcase in a debug build I get
Assertion failure: pnprop->pn_type == TOK_COLON
Assertion failure: !fp->dormantNext
The first is bug 368224 and the second is bug 387725, both fixed in Firefox 3.0 so that fits your description. Since the testcase looks like 368224 and that one gets hit first I'm going to dupe there.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•