Closed Bug 575024 Opened 14 years ago Closed 14 years ago

JSObject::resizeDenseArrayElements comparison is always false due to limited range of data type

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- .13-fixed
status1.9.1 --- .17-fixed

People

(Reporter: timeless, Assigned: dveditz)

References

Details

Attachments

(2 files)

patch
569 bytes, patch
dvander
: review+
christian
: approval1.9.2.13+
dveditz
: approval1.9.1.16-
Details | Diff | Splinter Review
1.9.1 port
1.55 KB, patch
dveditz
: review+
dveditz
: approval1.9.1.17+
Details | Diff | Splinter Review 
js/src/jsarray.cpp: In member function ‘bool JSObject::resizeDenseArrayElements(JSContext*, uint32, uint32, bool)’:
340: warning: comparison is always false due to limited range of data type
Attached patch patchSplinter Review 

        Attachment #454320 -
        Flags: review?(dvander)

        Attachment #454320 -
        Flags: review?(dvander) → review+
blocking2.0: --- → ?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/eece34b864ed
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
  
blocking2.0: ? → betaN+

    
  
Blocks: CVE-2010-3777

    
    

    
  
Comment on attachment 454320 [details] [diff] [review]
patch

Nice safe stability win for branches.

        Attachment #454320 -
        Flags: approval1.9.2.12?

        Attachment #454320 -
        Flags: approval1.9.1.15?

    
  

        Attachment #454320 -
        Flags: approval1.9.2.12?

        Attachment #454320 -
        Flags: approval1.9.2.12+

        Attachment #454320 -
        Flags: approval1.9.1.15?

        Attachment #454320 -
        Flags: approval1.9.1.15+

    
  
Whiteboard: [needs branch check-in]

    
    

    
  
Comment on attachment 454320 [details] [diff] [review]
patch

patch doesn't apply on 1.9.1 because, trivially, the param was called "size" rather than "newlen", but also there is no MAX_DSLOTS_LENGTH32. Also the function patched is static ResizeSlots() rather than JSObject::resizeDesnseArrayElements() but that probably doesn't matter.

        Attachment #454320 -
        Flags: approval1.9.1.16+ → approval1.9.1.16-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1.9.1 portSplinter Review
      

    


  

        Attachment #494601 -
        Flags: review?

    
  

        Attachment #494601 -
        Flags: review? → review?(dvander)

    
  

        Attachment #494601 -
        Flags: approval1.9.1.17?

    
  

        Attachment #494601 -
        Flags: approval1.9.1.16?

    
    

    
  
Comment on attachment 494601 [details] [diff] [review]
1.9.1 port

Got verbal r+ from dvander

        Attachment #494601 -
        Flags: review?(dvander) → review+

    
    

    
  
Comment on attachment 494601 [details] [diff] [review]
1.9.1 port

Not going to respin 1.9.1.16 so .17 it is.

        Attachment #494601 -
        Flags: approval1.9.1.17?

        Attachment #494601 -
        Flags: approval1.9.1.17+

        Attachment #494601 -
        Flags: approval1.9.1.16?

    
  

          status1.9.1:
          --- → wanted

    
  
Assignee: timeless → dveditz

    
    

    
  
reassigning to myself so i remember to land it this time.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: