Closed Bug 503402 Opened 16 years ago Closed 16 years ago

Assertion failure: "STRING_BUFFER_OK(sb)" - Negative values for space (third) param to JSON.stringify causes 3.5 to hang [@ js_json_stringify]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: lsmith, Assigned: brendan)

References

(
URL
)

Details

(5 keywords, Whiteboard: [sg:critical], fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

proposed fix
2.63 KB, patch
sayrer
: review+
jorendorff
: review+
Details | Diff | Splinter Review
branch patch
2.91 KB, patch
samuel.sidler+old
: approval1.9.1.1+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11 Calling e.g. JSON.stringify({ x: 1 }, null, -4) is at least stopping the js processing in the current threat. Possibly hanging the page. No error occurs, but processing stops. Reproducible: Always Steps to Reproduce: 1. document.body.innerHTML = JSON.stringify({x:1},null,-4); Actual Results: A whole lotta nothing Expected Results: The body contains only {"x":1} since the ECMA 5 spec for JSON says only values between 0 and 100 (possibly less than 100--I heard of an update but haven't investigated) are supported. Anything else is treated as empty string. This was discovered by the test suite I built for YUI when adding native browser support to the JSON utility. I abstracted the test suite out to just exercise native implementations. It is available here for your reference: http://lucassmith.name/pub/browser_bugs/ff/native_json.html It may come in handy for your tests. If there are tests in there that misinterpret the spec, I'd love to know.
javascript:alert(JSON.stringify({x:1},null,-4)) crashes for me (unfortunately I've never been able to submit reports) Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko/20090709 Minefield/3.6a1pre ID:20090709091211
Keywords: crash
OS: Mac OS X → All
Hardware: x86 → All
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Severity: normal → critical
Group: core-security
I don't know the code in question but this smell sufficiently like a buffer overrun to hide it. Sayrer, can you take a look and unhide if its harmless?
ToUint32(-4) => bignum, that goes to js_RepeatChar, ENSURE_STRING_BUFFER(sb, bignum) includes an integer overflow then goes into GrowStringBuffer with bignum, which doesn't check for integer overflows at all (note newlength += sb->ptr - sb->base + 1, immediate wraparound if space=-1), and I think at that point it's an exercise for the reader. Unclear at first glance where the overflow check(s, most likely) need to be added... This is also a spec bug, as my candidate-*.pdf doesn't really deal with negative values (it has verbiage that if space < 1 it's an empty string, but that seems more explanatory than prescriptive, and it's preceded by "Set gap to a string containing |space| space characters"). Also note: JSON.stringify({}, null, -s) asserts for any s greater than 1 (1 crashes) in shell.
Whiteboard: [sg:critical]
Assignee: general → brendan
Flags: blocking1.9.1.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.2a1
Attached patch proposed fixSplinter Review
Sorry about the old trap here, into which json.cpp walked with my r+. /be
Attachment #387877 - Flags: review?(sayrer)
There's a bug in json.cpp still, but I will let sayrer file and fix it. ES5 draft in 15.12.3 stringify ( value [ , replacer [ , space ] ] ) says 4.6. If Type(space) is number a. Let space be min(10, ToInteger(space))the lesser of space and 100. number is double and ToInteger converts the double to an integral value but still an IEEE double. In no case should space be JS_ValueToECMAUint32 be called without the above min() being computed. /be
Sorry, left out 4.6(b) of 15.12.3: b. Set gap to a string containing space space characters. This will be the empty string if space is less than 1. This is from the latest draft with edits, found at http://wiki.ecmascript.org/doku.php?id=es3.1:es3.1_proposal_working_draft /be
(In reply to comment #5) > There's a bug in json.cpp still, but I will let sayrer file Had a minute, so I filed bug 503524. /be
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Attachment #387877 - Flags: review?(sayrer)
Attachment #387877 - Flags: review?(jorendorff)
Attachment #387877 - Flags: review+
We need to fix this in 1.9.1.1.
Flags: blocking1.9.1.1? → blocking1.9.1.1+
Attachment #387877 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/3ac0a33eec85
Whiteboard: [sg:critical] → [sg:critical], fixed-in-tracemonkey
JSON.stringify({x:1},null,-4) A (hacked) autoBisect shows this is probably related to bug 442059 : The first bad revision is: changeset: 28053:274140a44a2d user: Robert Sayre date: Thu May 07 13:28:21 2009 -0700 summary: Bug 442059 - [native JSON] allow to blacklist keys by name when encoding to JSON. r=brendan
Blocks: 442059
Flags: in-testsuite?
Keywords: regression, testcase
Version: unspecified → 1.9.1 Branch
Can we get this on mozilla-central and an approval request for 1.9.1.1?
http://hg.mozilla.org/mozilla-central/rev/3ac0a33eec85
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Attached patch branch patchSplinter Review
only difference is PTRDIFF macro on the branch.
Attachment #388499 - Flags: approval1.9.1.1?
Comment on attachment 388499 [details] [diff] [review] branch patch Approved for 1.9.1.1. a=ss
Attachment #388499 - Flags: approval1.9.1.1? → approval1.9.1.1+
Why don't I get an alert box on 1.9.1 but on trunk? Tested on all platforms with a build like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090715 Shiretoko/3.5.1pre (.NET CLR 3.5.30729) ID:20090715044728
Summary: Negative values for space (third) param to JSON.stringify causes 3.5 to hang → Negative values for space (third) param to JSON.stringify causes 3.5 to hang [@ js_json_stringify]
(In reply to comment #16) > Why don't I get an alert box on 1.9.1 but on trunk? Tested on all platforms > with a build like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.9.1.1pre) Gecko/20090715 Shiretoko/3.5.1pre (.NET CLR 3.5.30729) > ID:20090715044728 I don't know what this comment means.
I tried the test mentioned in comment 1: javascript:alert(JSON.stringify({x:1},null,-4)) In Minefield I get an alert box but not on 1.9.1.
(In reply to comment #18) > I tried the test mentioned in comment 1: > javascript:alert(JSON.stringify({x:1},null,-4)) > > In Minefield I get an alert box but not on 1.9.1. I think it is because bug 503524 is not yet fixed on branch.
Rob/Whimboo: can you verify that this is fixed in latest-mozilla1.9.1 nightly or better yet the 3.5.1 release candidate: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/
Verified fixed on 1.9.1 with the debug build 20090716100323 on OS X. No assertion or crash is visible.
Keywords: fixed1.9.1.1assertion, verified1.9.1.1
Summary: Negative values for space (third) param to JSON.stringify causes 3.5 to hang [@ js_json_stringify] → Assertion failure: "STRING_BUFFER_OK(sb)" - Negative values for space (third) param to JSON.stringify causes 3.5 to hang [@ js_json_stringify]
Verified fixed with the debug build 20090716110626 on OS X. Now that I was able to checked the fix with a fresh trunk debug build too I see a difference to 1.9.1. No idea if this is related to bug 503524. Running the testcase in Shiretoko I see: js> JSON.stringify({x:1},null,-4) typein:1: out of memory
Status: RESOLVED → VERIFIED
(In reply to comment #22) > Verified fixed with the debug build 20090716110626 on OS X. > > Now that I was able to checked the fix with a fresh trunk debug build too I see > a difference to 1.9.1. No idea if this is related to bug 503524. Yes, the fix for bug 503524 makes m-c and tracemonkey builds clamp the third argument to be in [1,10] per draft ES5. The OOM in 1.9.1 branch builds is not per spec but it beats a crash! /be
status1.9.1: --- → wanted
Flags: wanted1.9.1.x+
Crash Signature: [@ js_json_stringify]
This was fixed a long time ago, can we open this up?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: