Closed
Bug 584912
Opened 14 years ago
Closed 14 years ago
Use after free in jsd_NewThreadState.
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: adrake, Assigned: adrake)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
696 bytes,
patch
|
adrake
:
review+
sayrer
:
approval2.0+
|
Details | Diff | Splinter Review |
The following lines occur in jsd_stak.c on line 151: jsd_DestroyThreadState(jsdc, jsdthreadstate); JS_EndRequest(jsdthreadstate->context); jsd_DestroyThreadState free()s jsdthreadstate which is then immediately used. Patch forthcoming.
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → adrake
|
|
Assignee | |
Updated•14 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•14 years ago
|
||
Fix.
Attachment #463462 -
Flags: review?(timeless)
Attachment #463462 -
Flags: approval2.0?
|
|
Assignee | |
Comment 3•14 years ago
|
||
Comment on attachment 463462 [details] [diff] [review] Patch Updated r? to reflect above comment.
Attachment #463462 -
Flags: review?(timeless) → review+
|
||
Updated•14 years ago
|
Attachment #463462 -
Flags: approval2.0? → approval2.0+
|
|
Assignee | |
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/bbfce6d8415d
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/bbfce6d8415d
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in
before you can comment on or make changes to this bug.
Description
•