Closed Bug 740609 Opened 8 years ago Closed 8 years ago

Crash [@ JS_HashString] under js::SaveScriptFilename

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla14

People

(Reporter: jruderman, Assigned: billm)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos null deref])

Attachments

(3 files)

Might be a regression from bug 739694.
Attached file stack trace
Hmph, apparently script->filename can be null.
Assignee: nobody → general
Component: jemalloc → JavaScript Engine
QA Contact: jemalloc → general
Stack looks like a null deref (also noted in comment 2). Is there a worry about exploitability here or can we call this a DoS?
JS_HashString starts touching at offset 0, so safe low-memory fault.
Group: core-security
Whiteboard: [sg:dos null deref]
Assignee: general → wmccloskey
Attachment #614210 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/8cf633d7a031
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.