Closed Bug 615859 Opened 11 years ago Closed 11 years ago

Deserialize with null argument crashes/asserts

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- -

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Whiteboard: [fixed-in-tracemonkey][sg:dos] null deref)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier: 

Problem affects mozilla-2.0 branch only, tested on tip and current beta:

The code

deserialize(null);

will assert with Assertion failure: obj, at jstypedarray.cpp:1613 in a debug build and crash due to null ptr dereference in an optimized build.

Not exploitable, but should be fixed anyways :) Flagged as security bug as I don't know what your policy is with respect to crash bugs that are definitely not exploitable beyond denial of service, so feel free to remove flagging.

Reproducible: Always

Steps to Reproduce:
1. Run deserialize(null); as javascript code
2. Observe crash
Actual Results:  
Crash/Assert

Expected Results:  
Some kind of error message
Yeah, we don't need to leave this private, it's at most an DOS (unexploitable crash).
Assignee: nobody → general
Group: core-security
Status: UNCONFIRMED → NEW
blocking2.0: --- → betaN+
Component: General → JavaScript Engine
Ever confirmed: true
QA Contact: general → general
Whiteboard: [sg:dos] null deref
I can only find Deserialize() in shell/js.cpp - was your crash in the browser or shell? If this is shell only it should unblock.
Sorry, I was not aware that deserialize() is indeed only a shell function. Yes this was observed in the shell, but I thought the interface is accessible in browser as well.
blocking2.0: betaN+ → -
Severity: critical → minor
Another cosmetical problem of the same category (will assert only) deserialize(new Uint8ClampedArray(1));
The bug from comment 0 is a silly rookie mistake on my part. Definitely shell only. Trivial to fix.
Attached patch v1Splinter Review
Assignee: general → jorendorff
Attachment #495631 - Flags: review?(jwalden+bmo)
Attachment #495631 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/tracemonkey/rev/2ff422400823
Whiteboard: [sg:dos] null deref → [fixed-in-tracemonkey][sg:dos] null deref
http://hg.mozilla.org/mozilla-central/rev/2ff422400823
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.