Closed Bug 555614 Opened 15 years ago Closed 15 years ago

Assertion failed: "((index < len))" ("/Users/edwin/vm/argo/core/avmplusList.h":397)

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P3)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
flash10.1

People

(Reporter: edwsmith, Assigned: edwsmith)

Details

(Whiteboard: Has patch)

Attachments

(2 files)

fuzzed abcdump.abc test case
41.28 KB, application/octet-stream
Details
range-check class_index against actual class list length, not just max classCount
888 bytes, patch
tharwood
: review+
tierney
: review+
Details | Diff | Splinter Review
reading past end of List<> causes assert: Assertion failed: "((index < len))" ("/Users/edwin/vm/argo/core/avmplusList.h":397) happens in getClassTraits() called from parseInstanceInfos in AbcParser. The code correctly does a range check first, but at this point the list of class traits has length 0. It should have been pre-allocated to classCount entries. // get the class type if (class_index >= classCount) toplevel->throwVerifyError(kClassInfoExceedsCountError, core->toErrorString(class_index), core->toErrorString(classCount)); => Traits* ctraits = pool->getClassTraits(class_index); if (!ctraits) toplevel->throwVerifyError(kClassInfoOrderError, core->toErrorString(class_index));
The test case also causes abcdump to fail with: +TypeError: Error #1009: Cannot access a property or method of a null object reference. + at Abc/parseTraits()[abcdump.as:1047] + at Abc/parseInstanceInfos()[abcdump.as:1017] + at Abc()[abcdump.as:720] + at global$init()[abcdump.as:1518] presumably this is abcdump doing a null pointer derefernce of its classes array.
The assert fires because we access List<> past length. The list is correctly presized, so the overrun is not actually a memory safety issue. The list is GC allocated and so non-initialized entries are guaranteed to be null. patch does the range check explicitly. even though without the assert the code is memory safe, its too fragile and it violates the List<> api contract.
Assignee: nobody → edwsmith
Status: NEW → ASSIGNED
Targetting 10.1, although not strictly required, because the fix is simple and aids testing. * still needs a test case * abcdump still needs a fix.
Group: tamarin-security
CC list accessible: false
Flags: in-testsuite?
Priority: -- → P3
Not accessible to reporter
Target Milestone: --- → flash10.1
Whiteboard: Has patch
Attachment #435985 - Flags: review?(tharwood)
Attachment #435985 - Flags: review?(tierney)
Comment on attachment 435985 [details] [diff] [review] range-check class_index against actual class list length, not just max classCount Looks good. I'd bet similar issues exist in some other lists.
Attachment #435985 - Flags: review?(tharwood) → review+
Attachment #435985 - Flags: review?(tierney) → review+
pushed to tr-argo and tr http://hg.mozilla.org/tamarin-redux/rev/5403aeeddc19
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Pushed regression testcase (attachment 435509 [details]) to redux changeset 4432 e8a4288bf822
Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: