If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

TM: tracable native for Number.toString() doesn't fall off trace for OOM

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: gal, Assigned: gal)

Tracking

Trunk
Points:
---
Bug Flags:
blocking1.9.2 +
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 beta3-fixed)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
Not exploitable. A DOS at best.
Flags: blocking1.9.2?
(Assignee)

Comment 1

8 years ago
Created attachment 406282 [details] [diff] [review]
patch

This currently depends on 522195 to apply cleanly (522195 added another case with the same bug, extending the existing code, this patch fixes both).
Assignee: general → gal
Attachment #406282 - Flags: review?(brendan)
(Assignee)

Updated

8 years ago
tracking-fennec: --- → ?
OS: Mac OS X → All
Hardware: x86 → All
(Assignee)

Comment 2

8 years ago
for (var i = 2; i < 40; ++i)
    (5).toString(i);

whale:src gal$ ./Darwin_DBG.OBJ/js -j x.js
x.js:2: Error: illegal radix 37
whale:src gal$
Attachment #406282 - Flags: review?(brendan) → review+
With trace-test addition of course.

/be
Flags: in-testsuite?
(Assignee)

Comment 4

8 years ago
http://hg.mozilla.org/tracemonkey/rev/e0f7220ab9ee
Whiteboard: fixed-in-tracemonkey

Comment 5

8 years ago
http://hg.mozilla.org/mozilla-central/rev/e0f7220ab9ee
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
Flags: blocking1.9.2? → blocking1.9.2+

Comment 6

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/46e8cdd2b2a4
status1.9.2: --- → final-fixed
Group: core-security
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.