Closed
Bug 509075
Opened 15 years ago
Closed 15 years ago
Crash [@ js_ValueToString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: pvnick, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:critical])
Attachments
(4 files)
|
602 bytes,
text/html
|
Details | |
|
6.88 KB,
text/plain
|
Details | |
|
4.94 KB,
patch
|
jorendorff
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
1.19 KB,
patch
|
mrbkap
:
review+
christian
:
approval1.9.2.11+
christian
:
approval1.9.1.14+
|
Details | Diff | Splinter Review |
No description provided.
|
Reporter | |
Comment 1•15 years ago
|
||
|
||
Updated•15 years ago
|
Group: core-security
|
||
Comment 2•15 years ago
|
||
crashes mac 1.9.2 @ JS_HashTableDestroy bp-b5d38e43-91b8-4994-8ac7-bacb62090807
|
Assignee | |
Comment 4•15 years ago
|
||
The fix here is the argc == 0 check, the rest of it is updating the code to use shiny new APIs.
Attachment #393249 -
Flags: review?(jorendorff)
|
|
Reporter | |
Comment 5•15 years ago
|
||
I'm so sorry, I didn't think this was security-sensitive. Not bad for my fuzzer's first bug ;)
|
||
Updated•15 years ago
|
Attachment #393249 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #393249 -
Flags: superreview?(jst)
|
||
Updated•15 years ago
|
Attachment #393249 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 6•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/8b71bff4079d
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical]
|
|
||
Comment 7•14 years ago
|
||
Re-reported as bug 598669 / ZDI-CAN-929.
|
||
Comment 8•14 years ago
|
||
Why wasn't this fix backported to 1.9.2, especially if it's been fixed on trunk for a year? :/
blocking1.9.2: --- → ?
status1.9.2:
--- → ?
|
||
Updated•14 years ago
|
|
|
||
Comment 9•14 years ago
|
||
I crashed with this testcase in 3.5.12pre (bp-efdae1d6-c261-42ba-a8a2-be5882100924 -- pthread_mutex_lock, something else?) but after upgrading to a current nightly I no longer crash. Is this problem a regression between 1.9.1 and 1.9.2?
|
|
||
Comment 10•14 years ago
|
||
I take back comment 9: it doesn't seem to crash in 1.9.1 if I open the testcase in a new tab, but if I just click the link to navigate from the bug to the testcase it goes down immediately. Another pthread_mutex_lock crash, but with symbols this time so it does look like the same area as this bug and bug 598669 bp-2fa1fcef-aab5-46a8-b5df-8ea972100924
blocking1.9.1: ? → .14+
|
|
||
Updated•14 years ago
|
Blocks: CVE-2010-3183
|
|
||
Comment 11•14 years ago
|
||
Attachment #478904 -
Flags: review?(mrbkap)
|
|
Assignee | |
Comment 12•14 years ago
|
||
Comment on attachment 478904 [details] [diff] [review] 1.9.2 fix. Thanks!
Attachment #478904 -
Flags: review?(mrbkap) → review+
|
|
||
Comment 13•14 years ago
|
||
Comment on attachment 478904 [details] [diff] [review] 1.9.2 fix. This applies to 1.9.1 as well, and while I can not trigger a crash in 1.9.1 locally, this should be fixed there as well.
Attachment #478904 -
Flags: approval1.9.2.11?
Attachment #478904 -
Flags: approval1.9.1.14?
|
||
Comment 14•14 years ago
|
||
Comment on attachment 478904 [details] [diff] [review] 1.9.2 fix. a=LegNeato for 1.9.2.11 and 1.9.1.14
Attachment #478904 -
Flags: approval1.9.2.11?
Attachment #478904 -
Flags: approval1.9.2.11+
Attachment #478904 -
Flags: approval1.9.1.14?
Attachment #478904 -
Flags: approval1.9.1.14+
Keywords: checkin-needed
|
|
||
Comment 15•14 years ago
|
||
Looks like jst checked this in: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6f77c13209a8
Keywords: checkin-needed
|
|
||
Updated•14 years ago
|
Group: core-security
|
|
||
Comment 17•14 years ago
|
||
Crashtest: http://hg.mozilla.org/mozilla-central/rev/0981dd4be638
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•