Closed
Bug 645651
Opened 13 years ago
Closed 13 years ago
Crash [@ JS_LeaveCrossCompartmentCall ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 646380
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: neil, Assigned: sfink)
References
Details
(Keywords: crash, regression)
Crash Data
When jsd_GetValueString's call to JS_ValueToString returns NULL, call does not get set and is garbage when it is passed to JS_LeaveCrossCompartmentCall. Either the call to JS_LeaveCrossCompartmentCall should also be null-checked against the value of string or call should be explicitly nulled out if string is null. I hit this trying to do some debugging using Venkman, I don't know whether other debuggers will trip over it. Setting s-g because both it's a regression from an s-g bug and I don't know whether the access to call is exploitable.
Comment 1•13 years ago
|
||
Steve, can you take a look at this? (hg annotate fingered you.) It looks pretty easy.
Assignee: general → sphink
Assignee | ||
Comment 2•13 years ago
|
||
Luke smashes two bugs with a single blow! (Sorry I didn't get to this sooner -- I managed to screw up my bugmail filtering and didn't see it until just now.)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Component: JavaScript Engine → JavaScript Debugging/Profiling APIs
QA Contact: general → jsd
Updated•13 years ago
|
Crash Signature: [@ JS_LeaveCrossCompartmentCall ]
Updated•13 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•