Last Comment Bug 740609 - Crash [@ JS_HashString] under js::SaveScriptFilename
: Crash [@ JS_HashString] under js::SaveScriptFilename
Status: RESOLVED FIXED
[sg:dos null deref]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla14
Assigned To: [PTO to Dec5] Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: 326633 594645
  Show dependency treegraph
 
Reported: 2012-03-29 14:39 PDT by Jesse Ruderman
Modified: 2012-04-13 04:25 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes Firefox when loaded) (315 bytes, text/html)
2012-03-29 14:39 PDT, Jesse Ruderman
no flags Details
stack trace (9.02 KB, text/plain)
2012-03-29 14:39 PDT, Jesse Ruderman
no flags Details
patch (1.34 KB, patch)
2012-04-11 16:09 PDT, [PTO to Dec5] Bill McCloskey (:billm)
luke: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2012-03-29 14:39:16 PDT
Created attachment 610699 [details]
testcase (crashes Firefox when loaded)

Might be a regression from bug 739694.
Comment 1 Jesse Ruderman 2012-03-29 14:39:45 PDT
Created attachment 610700 [details]
stack trace
Comment 2 Luke Wagner [:luke] 2012-03-29 14:43:06 PDT
Hmph, apparently script->filename can be null.
Comment 3 Daniel Veditz [:dveditz] 2012-04-04 10:57:18 PDT
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?
Comment 4 Luke Wagner [:luke] 2012-04-04 11:01:28 PDT
JS_HashString starts touching at offset 0, so safe low-memory fault.
Comment 5 [PTO to Dec5] Bill McCloskey (:billm) 2012-04-11 16:09:35 PDT
Created attachment 614210 [details] [diff] [review]
patch
Comment 6 [PTO to Dec5] Bill McCloskey (:billm) 2012-04-12 11:05:48 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/8cf633d7a031
Comment 7 Marco Bonardo [::mak] 2012-04-13 04:25:35 PDT
https://hg.mozilla.org/mozilla-central/rev/8cf633d7a031

Note You need to log in before you can comment on or make changes to this bug.