Closed
Bug 625635
Opened 14 years ago
Closed 14 years ago
64-bit: crash [@ JSC::Yarr::RegexCodeBlock::execute] due to buffer overflow
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 606882
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Crash Data
In a 64-bit js shell, this causes a crash:
/(?:a?(?!b|c)d+(?!e)f?)*/.exec("d");
Mac OS X crash reporter shows only JSC::Yarr::RegexCodeBlock::execute on the stack. Memcheck shows roughly the same thing, but also says something about "switching stacks", which probably indicates that a stack word (being read into the stack-pointer register) had been overwritten.
I suspect a stack buffer overflow, so I'll try valgrind --tool=exp-ptrcheck next.
|
Reporter | |
Comment 1•14 years ago
|
||
"valgrind --tool=exp-ptrcheck" did not help :(
|
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
Whiteboard: [sg:critical?]
|
|
Reporter | |
Comment 2•14 years ago
|
||
The first bad revision is:
changeset: 597254d97174
user: Chris Leary
date: Wed Aug 11 13:30:07 2010 -0700
summary: Bug 564953: Port YARR! Lands macroassembler. (r=gal)
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical]
|
||
Updated•14 years ago
|
Crash Signature: [@ JSC::Yarr::RegexCodeBlock::execute]
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•