Closed Bug 691873 Opened 8 years ago Closed 8 years ago

js::types::TypeCompartment::addPending can write off end of pendingArray if OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox7 - unaffected
firefox8 - unaffected
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: jimb, Assigned: bhackett)

Details

(Whiteboard: [sg:critical?][qa?])

Attachments

(1 file)

In TypeCompartment::addPending, we say:

    if (pendingCount == pendingCapacity)
        growPendingArray(cx);

    PendingWork &pending = pendingArray[pendingCount++];
    pending.constraint = constraint;
    pending.source = source;
    pending.type = type;

If growPendingArray fails because of OOM, then the writes to pending's referent's members are writing off the end of the array.

It looks as if, once pendingCount > pendingCapacity, we won't try to call growPendingArray any more, and all subsequent addPending calls will write off the end of that array, so we might be able to reach pretty far.
sg:critical? assuming growPendingArray refers to the kind of array a web script can create and grow to an arbitrary size.
Whiteboard: [sg:critical?]
Attached patch patchSplinter Review
Great catch, this was pretty braindead.
Assignee: general → bhackett1024
Attachment #565074 - Flags: review?(jimb)
Attachment #565074 - Flags: review?(jimb) → review+
Attachment #565074 - Flags: approval-mozilla-aurora?
Comment on attachment 565074 [details] [diff] [review]
patch

Approved for aurora per today's triage meeting.
Attachment #565074 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/1eca7dca8152

(This has been on m-c for several days but the bug wasn't updated).

https://hg.mozilla.org/releases/mozilla-aurora/rev/781ed08803ea
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Fixed in 9 and 10 per previous comment.
Is there something QA can do to verify this fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa?]
Group: core-security
You need to log in before you can comment on or make changes to this bug.