Closed
Bug 615859
Opened 14 years ago
Closed 14 years ago
Deserialize with null argument crashes/asserts
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Whiteboard: [fixed-in-tracemonkey][sg:dos] null deref)
Attachments
(1 file)
1.18 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier:
Problem affects mozilla-2.0 branch only, tested on tip and current beta:
The code
deserialize(null);
will assert with Assertion failure: obj, at jstypedarray.cpp:1613 in a debug build and crash due to null ptr dereference in an optimized build.
Not exploitable, but should be fixed anyways :) Flagged as security bug as I don't know what your policy is with respect to crash bugs that are definitely not exploitable beyond denial of service, so feel free to remove flagging.
Reproducible: Always
Steps to Reproduce:
1. Run deserialize(null); as javascript code
2. Observe crash
Actual Results:
Crash/Assert
Expected Results:
Some kind of error message
Comment 1•14 years ago
|
||
Yeah, we don't need to leave this private, it's at most an DOS (unexploitable crash).
Assignee: nobody → general
Group: core-security
Status: UNCONFIRMED → NEW
blocking2.0: --- → betaN+
Component: General → JavaScript Engine
Ever confirmed: true
QA Contact: general → general
Whiteboard: [sg:dos] null deref
I can only find Deserialize() in shell/js.cpp - was your crash in the browser or shell? If this is shell only it should unblock.
Reporter | ||
Comment 3•14 years ago
|
||
Sorry, I was not aware that deserialize() is indeed only a shell function. Yes this was observed in the shell, but I thought the interface is accessible in browser as well.
Updated•14 years ago
|
blocking2.0: betaN+ → -
Reporter | ||
Updated•14 years ago
|
Severity: critical → minor
Reporter | ||
Comment 4•14 years ago
|
||
Another cosmetical problem of the same category (will assert only) deserialize(new Uint8ClampedArray(1));
Assignee | ||
Comment 5•14 years ago
|
||
The bug from comment 0 is a silly rookie mistake on my part. Definitely shell only. Trivial to fix.
Assignee | ||
Comment 6•14 years ago
|
||
Assignee: general → jorendorff
Attachment #495631 -
Flags: review?(jwalden+bmo)
Updated•14 years ago
|
Attachment #495631 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 7•14 years ago
|
||
Whiteboard: [sg:dos] null deref → [fixed-in-tracemonkey][sg:dos] null deref
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•