Closed
Bug 691873
Opened 13 years ago
Closed 13 years ago
js::types::TypeCompartment::addPending can write off end of pendingArray if OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox7 | - | unaffected |
| firefox8 | - | unaffected |
| firefox9 | + | fixed |
| firefox10 | + | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: jimb, Assigned: bhackett1024)
Details
(Whiteboard: [sg:critical?][qa?])
Attachments
(1 file)
|
2.59 KB,
patch
|
jimb
:
review+
jst
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
In TypeCompartment::addPending, we say:
if (pendingCount == pendingCapacity)
growPendingArray(cx);
PendingWork &pending = pendingArray[pendingCount++];
pending.constraint = constraint;
pending.source = source;
pending.type = type;
If growPendingArray fails because of OOM, then the writes to pending's referent's members are writing off the end of the array.
It looks as if, once pendingCount > pendingCapacity, we won't try to call growPendingArray any more, and all subsequent addPending calls will write off the end of that array, so we might be able to reach pretty far.
|
||
Comment 1•13 years ago
|
||
sg:critical? assuming growPendingArray refers to the kind of array a web script can create and grow to an arbitrary size.
Whiteboard: [sg:critical?]
|
Assignee | |
Comment 2•13 years ago
|
||
Great catch, this was pretty braindead.
Assignee: general → bhackett1024
Attachment #565074 -
Flags: review?(jimb)
|
||
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox7:
--- → -
tracking-firefox8:
--- → -
tracking-firefox9:
--- → +
|
Reporter | |
Updated•13 years ago
|
Attachment #565074 -
Flags: review?(jimb) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Attachment #565074 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 4•13 years ago
|
||
Comment on attachment 565074 [details] [diff] [review]
patch
Approved for aurora per today's triage meeting.
Attachment #565074 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 5•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1eca7dca8152
(This has been on m-c for several days but the bug wasn't updated).
https://hg.mozilla.org/releases/mozilla-aurora/rev/781ed08803ea
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 6•13 years ago
|
||
Fixed in 9 and 10 per previous comment.
Is there something QA can do to verify this fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa?]
|
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•