Closed
Bug 545973
Opened 15 years ago
Closed 15 years ago
VectorClass:instantiated_types needs to be per-Domain
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P2)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
VERIFIED
FIXED
flash10.1
People
(Reporter: stejohns, Assigned: stejohns)
Details
Attachments
(1 file)
|
9.60 KB,
patch
|
tierney
:
review+
edwsmith
:
superreview+
|
Details | Diff | Splinter Review |
Having this list be in VectorClass means that types can outlive their Domains, leaking things unpleasantly. This should be moved to the Domain.
|
Assignee | |
Comment 1•15 years ago
|
||
This seems to mitigate the problem.
Note that the change in VTable.cpp mitigates a latent bug we had before: we were using the wrong Traits as the base, but as long as sizeof(VectorClass)>=sizeof(ObjectVectorClass) we were safe.
Marking with security bit pending review -- I don't think this is exploitable (just a leak), but I want other thoughts on it and also to ponder over the weekend.
Assignee: nobody → stejohns
Attachment #426789 -
Flags: superreview?(edwsmith)
Attachment #426789 -
Flags: review?
|
|
Assignee | |
Updated•15 years ago
|
Attachment #426789 -
Flags: review? → review?(tierney)
|
||
Updated•15 years ago
|
Attachment #426789 -
Flags: review?(tierney) → review+
|
||
Comment 2•15 years ago
|
||
Comment on attachment 426789 [details] [diff] [review]
Patch
it doesn't look like the protocol for creating & searching for parameterized types mirrors the protocol for scalar types.
or... is it safe to bypass that because we stuff Vector<T> into whatever domain owns T?
Attachment #426789 -
Flags: superreview?(edwsmith) → superreview-
|
|
Assignee | |
Comment 3•15 years ago
|
||
(In reply to comment #2)
> (From update of attachment 426789 [details] [diff] [review])
> it doesn't look like the protocol for creating & searching for parameterized
> types mirrors the protocol for scalar types.
>
> or... is it safe to bypass that because we stuff Vector<T> into whatever domain
> owns T?
That's the theory.
|
|
||
Updated•15 years ago
|
Attachment #426789 -
Flags: superreview- → superreview+
Status: NEW → ASSIGNED
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
|
|
Assignee | |
Comment 4•15 years ago
|
||
ok, I have r+ on this, now the question is, is this really a security issue or not? (I can land it in tr-sec if there's any doubt but it's on the large side for a security patch, so longterm maintenance will be easier if it's not necessary)
|
|
Assignee | |
Comment 5•15 years ago
|
||
http://hg.mozilla.org/tamarin-redux/rev/fb13df575e8c
http://hg.mozilla.org/tamarin-redux/rev/83c11703715b
Group: tamarin-security
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•