Closed Bug 615859 Opened 14 years ago Closed 14 years ago

Deserialize with null argument crashes/asserts

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- -

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Whiteboard: [fixed-in-tracemonkey][sg:dos] null deref)

Attachments

(1 file)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 Build Identifier: Problem affects mozilla-2.0 branch only, tested on tip and current beta: The code deserialize(null); will assert with Assertion failure: obj, at jstypedarray.cpp:1613 in a debug build and crash due to null ptr dereference in an optimized build. Not exploitable, but should be fixed anyways :) Flagged as security bug as I don't know what your policy is with respect to crash bugs that are definitely not exploitable beyond denial of service, so feel free to remove flagging. Reproducible: Always Steps to Reproduce: 1. Run deserialize(null); as javascript code 2. Observe crash Actual Results: Crash/Assert Expected Results: Some kind of error message
Yeah, we don't need to leave this private, it's at most an DOS (unexploitable crash).
Assignee: nobody → general
Group: core-security
Status: UNCONFIRMED → NEW
blocking2.0: --- → betaN+
Component: General → JavaScript Engine
Ever confirmed: true
QA Contact: general → general
Whiteboard: [sg:dos] null deref
I can only find Deserialize() in shell/js.cpp - was your crash in the browser or shell? If this is shell only it should unblock.
Sorry, I was not aware that deserialize() is indeed only a shell function. Yes this was observed in the shell, but I thought the interface is accessible in browser as well.
blocking2.0: betaN+ → -
Severity: critical → minor
Another cosmetical problem of the same category (will assert only) deserialize(new Uint8ClampedArray(1));
The bug from comment 0 is a silly rookie mistake on my part. Definitely shell only. Trivial to fix.
Attached patch v1Splinter Review
Assignee: general → jorendorff
Attachment #495631 - Flags: review?(jwalden+bmo)
Attachment #495631 - Flags: review?(jwalden+bmo) → review+
Whiteboard: [sg:dos] null deref → [fixed-in-tracemonkey][sg:dos] null deref
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: