Having this list be in VectorClass means that types can outlive their Domains, leaking things unpleasantly. This should be moved to the Domain.
Created attachment 426789 [details] [diff] [review] Patch This seems to mitigate the problem. Note that the change in VTable.cpp mitigates a latent bug we had before: we were using the wrong Traits as the base, but as long as sizeof(VectorClass)>=sizeof(ObjectVectorClass) we were safe. Marking with security bit pending review -- I don't think this is exploitable (just a leak), but I want other thoughts on it and also to ponder over the weekend.
Attachment #426789 - Flags: review? → review?(tierney)
Comment on attachment 426789 [details] [diff] [review] Patch it doesn't look like the protocol for creating & searching for parameterized types mirrors the protocol for scalar types. or... is it safe to bypass that because we stuff Vector<T> into whatever domain owns T?
Attachment #426789 - Flags: superreview?(edwsmith) → superreview-
(In reply to comment #2) > (From update of attachment 426789 [details] [diff] [review]) > it doesn't look like the protocol for creating & searching for parameterized > types mirrors the protocol for scalar types. > > or... is it safe to bypass that because we stuff Vector<T> into whatever domain > owns T? That's the theory.
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → flash10.1
ok, I have r+ on this, now the question is, is this really a security issue or not? (I can land it in tr-sec if there's any doubt but it's on the large side for a security patch, so longterm maintenance will be easier if it's not necessary)
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Engineering work item. Marking verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.