Crash [@ JS_HashString] under js::SaveScriptFilename

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: billm)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
mozilla14
x86_64
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos null deref])

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 610699 [details]
testcase (crashes Firefox when loaded)

Might be a regression from bug 739694.
(Reporter)

Comment 1

6 years ago
Created attachment 610700 [details]
stack trace

Comment 2

6 years ago
Hmph, apparently script->filename can be null.
Assignee: nobody → general
Component: jemalloc → JavaScript Engine
QA Contact: jemalloc → general
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?

Comment 4

5 years ago
JS_HashString starts touching at offset 0, so safe low-memory fault.
Group: core-security
Whiteboard: [sg:dos null deref]
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey
(Assignee)

Comment 5

5 years ago
Created attachment 614210 [details] [diff] [review]
patch
Attachment #614210 - Flags: review?(luke)

Updated

5 years ago
Attachment #614210 - Flags: review?(luke) → review+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8cf633d7a031
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/8cf633d7a031
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.