Last Comment Bug 740609 - Crash [@ JS_HashString] under js::SaveScriptFilename
: Crash [@ JS_HashString] under js::SaveScriptFilename
[sg:dos null deref]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: mozilla14
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 326633 594645
  Show dependency treegraph
Reported: 2012-03-29 14:39 PDT by Jesse Ruderman
Modified: 2012-04-13 04:25 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (crashes Firefox when loaded) (315 bytes, text/html)
2012-03-29 14:39 PDT, Jesse Ruderman
no flags Details
stack trace (9.02 KB, text/plain)
2012-03-29 14:39 PDT, Jesse Ruderman
no flags Details
patch (1.34 KB, patch)
2012-04-11 16:09 PDT, Bill McCloskey (:billm)
luke: review+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2012-03-29 14:39:16 PDT
Created attachment 610699 [details]
testcase (crashes Firefox when loaded)

Might be a regression from bug 739694.
Comment 1 User image Jesse Ruderman 2012-03-29 14:39:45 PDT
Created attachment 610700 [details]
stack trace
Comment 2 User image Luke Wagner [:luke] 2012-03-29 14:43:06 PDT
Hmph, apparently script->filename can be null.
Comment 3 User image Daniel Veditz [:dveditz] 2012-04-04 10:57:18 PDT
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?
Comment 4 User image Luke Wagner [:luke] 2012-04-04 11:01:28 PDT
JS_HashString starts touching at offset 0, so safe low-memory fault.
Comment 5 User image Bill McCloskey (:billm) 2012-04-11 16:09:35 PDT
Created attachment 614210 [details] [diff] [review]
Comment 7 User image Marco Bonardo [::mak] 2012-04-13 04:25:35 PDT

Note You need to log in before you can comment on or make changes to this bug.