Closed Bug 563772 Opened 15 years ago Closed 15 years ago

Assertion failed: "((exceptionFrame != __null))" ("/Users/cpeyer/hg/tamarin-redux-security/core/AvmCore.cpp":1014)

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P2)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Q3 11 - Serrano

People

(Reporter: cpeyer, Assigned: stejohns)

Details

(Whiteboard: has-patch)

Attachments

(3 files)

fuzzed abc file that throws assert
19.35 KB, application/octet-stream
Details
avmplusCrash.dmp
11.21 KB, application/octet-stream
Details
Patch
1.47 KB, patch
edwsmith
: review+
Details | Diff | Splinter Review
Found with tr-sec r4276. Original .abc file is test/acceptance/ecma3/Number/toLocaleString_tr.abc abcdump diff: diff -u <(abcdump -abs ./ecma3/Number/toLocaleString_rt.abc) <(abcdump -abs crash_10183_4_6.abc) --- /dev/fd/63 2010-05-04 13:41:00.000000000 -0700 +++ /dev/fd/62 2010-05-04 13:41:00.000000000 -0700 @@ -1712,7 +1712,8 @@ 1697 setproperty {, private, }::<null> 1699 getscopeobject 0 1701 findpropstrict {, private, }::Number - 1703 pushdouble 10000000000000000000 + 1703 swap + 1704 throw 1705 constructprop {, private, }::Number (1) 1708 convert_d 1709 setslot 3
Flags: flashplayer-qrb?
Attached file avmplusCrash.dmp
Assignee: nobody → stejohns
Flags: flashplayer-qrb? → flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
Although this is a null-pointer dereference, it's specific to avmshell: what's happening is that an error is thrown, and in ShellCore::handleArbitraryExecutableContent() we attempt to print the string of the error to the console... and calling toString() on this method throws, and we have no try/catch block active (since we're in the catch block of the outermost try/catch). A fix is doable but I think this one can probably be declassified.
Attached patch PatchSplinter Review
The obvious workaround...
Attachment #444154 - Flags: review?(edwsmith)
Whiteboard: has-patch
Comment on attachment 444154 [details] [diff] [review] Patch nit: funny indentation. agree about declassifying.
Attachment #444154 - Flags: review?(edwsmith) → review+
Declassify, move to 10.2.
Group: tamarin-security
Target Milestone: flash10.1 → flash10.2
http://hg.mozilla.org/tamarin-redux/rev/1bb703df1493
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: flashplayer-bug+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: