Closed Bug 556874 Opened 15 years ago Closed 15 years ago

PoolObject::parseMultiname and Verifier::checkTypeName can recurse arbitrarily deep

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P2)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
flash10.1

People

(Reporter: stejohns, Assigned: stejohns)

References

Details

Attachments

(1 file)

Patch
1.73 KB, patch
edwsmith
: review+
Details | Diff | Splinter Review
When parsing parameterized types, the code recurses as deep as the level of paramterizing. A carefully constructed ABC could make use of this to force a stack overflow.
Assignee: nobody → stejohns
Correction: with the proposed patch for bug 556543, PoolObject::parseMultiname can't recurse arbitrarily deep, but Verifier::checkTypeName (and Interpreter::getTraits) can.
PoolObject::resolveTypeName is also susceptible.
I've fiddled around with various rewrite attempts to unroll the recursion, but it's awkward and feels a bit too fiddly for this stage of the game, so I'm tempted to just insert a call to stackCheck() before the recursive bits. Thoughts?
Attached patch PatchSplinter Review
Minimal fix that merely inserts calls to stackCheck in the possible recursion cases.
Attachment #436800 - Flags: review?(edwsmith)
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
Blocks: 502589
Attachment #436800 - Flags: review?(edwsmith) → review+
Comment on attachment 436800 [details] [diff] [review] Patch patch is okay as long as the bug has been vetted for exploitability. the fuzzer bugs were marked as security by default, but get declassified unless the represent a real exploit in shipping code. all the other stack overflow checking bugs for example (see 504506) are not marked as security.
Declassify.
Status: NEW → ASSIGNED
Group: tamarin-security
http://hg.mozilla.org/tamarin-redux/rev/2026a6bc0146 http://asteam.macromedia.com/hg/tamarin-redux-argo/rev/2026a6bc0146
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Regression media depends on abcasm multiname support being added: See Bug 558956
Depends on: 558956
(In reply to comment #8) > Regression media depends on abcasm multiname support being added: See Bug > 558956 Looks like abcasm needs TypeName and a way to create a qualified QName. This also interacts with another bug in the parser -- abcasm also needs what amount to soft statement breaks at line breaks.
QA Contact: vm → cpeyer
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: