Deserialize with null argument crashes/asserts

RESOLVED FIXED

Status

()

defect
--
minor
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: decoder, Assigned: jorendorff)

Tracking

unspecified
x86
Linux
Points:
---

Firefox Tracking Flags

(blocking2.0 -)

Details

(Whiteboard: [fixed-in-tracemonkey][sg:dos] null deref)

Attachments

(1 attachment)

Reporter

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier: 

Problem affects mozilla-2.0 branch only, tested on tip and current beta:

The code

deserialize(null);

will assert with Assertion failure: obj, at jstypedarray.cpp:1613 in a debug build and crash due to null ptr dereference in an optimized build.

Not exploitable, but should be fixed anyways :) Flagged as security bug as I don't know what your policy is with respect to crash bugs that are definitely not exploitable beyond denial of service, so feel free to remove flagging.

Reproducible: Always

Steps to Reproduce:
1. Run deserialize(null); as javascript code
2. Observe crash
Actual Results:  
Crash/Assert

Expected Results:  
Some kind of error message

Comment 1

9 years ago
Yeah, we don't need to leave this private, it's at most an DOS (unexploitable crash).
Assignee: nobody → general
Group: core-security
Status: UNCONFIRMED → NEW
blocking2.0: --- → betaN+
Component: General → JavaScript Engine
Ever confirmed: true
QA Contact: general → general
Whiteboard: [sg:dos] null deref
I can only find Deserialize() in shell/js.cpp - was your crash in the browser or shell? If this is shell only it should unblock.
Reporter

Comment 3

9 years ago
Sorry, I was not aware that deserialize() is indeed only a shell function. Yes this was observed in the shell, but I thought the interface is accessible in browser as well.
Reporter

Updated

9 years ago
Severity: critical → minor
Reporter

Comment 4

9 years ago
Another cosmetical problem of the same category (will assert only) deserialize(new Uint8ClampedArray(1));
Assignee

Comment 5

9 years ago
The bug from comment 0 is a silly rookie mistake on my part. Definitely shell only. Trivial to fix.
Assignee

Comment 6

9 years ago
Posted patch v1Splinter Review
Assignee: general → jorendorff
Attachment #495631 - Flags: review?(jwalden+bmo)
Attachment #495631 - Flags: review?(jwalden+bmo) → review+
Assignee

Comment 7

9 years ago
https://hg.mozilla.org/tracemonkey/rev/2ff422400823
Whiteboard: [sg:dos] null deref → [fixed-in-tracemonkey][sg:dos] null deref
http://hg.mozilla.org/mozilla-central/rev/2ff422400823
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.