When parsing parameterized types, the code recurses as deep as the level of paramterizing. A carefully constructed ABC could make use of this to force a stack overflow.
Correction: with the proposed patch for bug 556543, PoolObject::parseMultiname can't recurse arbitrarily deep, but Verifier::checkTypeName (and Interpreter::getTraits) can.
PoolObject::resolveTypeName is also susceptible.
I've fiddled around with various rewrite attempts to unroll the recursion, but it's awkward and feels a bit too fiddly for this stage of the game, so I'm tempted to just insert a call to stackCheck() before the recursive bits. Thoughts?
Created attachment 436800 [details] [diff] [review] Patch Minimal fix that merely inserts calls to stackCheck in the possible recursion cases.
Attachment #436800 - Flags: review?(edwsmith)
Priority: -- → P2
Target Milestone: --- → flash10.1
Comment on attachment 436800 [details] [diff] [review] Patch patch is okay as long as the bug has been vetted for exploitability. the fuzzer bugs were marked as security by default, but get declassified unless the represent a real exploit in shipping code. all the other stack overflow checking bugs for example (see 504506) are not marked as security.
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(In reply to comment #8) > Regression media depends on abcasm multiname support being added: See Bug > 558956 Looks like abcasm needs TypeName and a way to create a qualified QName. This also interacts with another bug in the parser -- abcasm also needs what amount to soft statement breaks at line breaks.
You need to log in before you can comment on or make changes to this bug.