765011 - Global-buffer-overflow in XPCWrappedNativeProto::GetScriptableInfo

Status: RESOLVED DUPLICATE of bug 752340

(Core :: XPConnect, defect)

Description

[Arthur Gerkis]

Attachment: ASan log

ASan reported global-buffer-overflow on build cf4face65451. Without test-case atm.

Comment 1

[Arthur Gerkis]

Attachment: test-case triggering the crash (*.zip)

After loading test-case, one have to wait ~7 seconds until crash.

Comment 2

[Andrew McCreight [:mccr8]]

this is weird:

0x7f5491d9ec10 is located 16 bytes to the left of global variable 'DeadObjectProxy::sDeadObjectFamily (/home/arthurg/Desktop/Firefox/src/js/src/jswrapper.cpp)' (0x7f5491d9ec20) of size 4
  'DeadObjectProxy::sDeadObjectFamily (/home/arthurg/Desktop/Firefox/src/js/src/jswrapper.cpp)' is ascii string ''
0x7f5491d9ec10 is located 24 bytes to the right of global variable 'js::CrossCompartmentWrapper::singleton (/home/arthurg/Desktop/Firefox/src/js/src/jswrapper.cpp)' (0x7f5491d9ebe0) of size 24

Comment 3

[Andrew McCreight [:mccr8]]

I'm pretty sure this is a dupe of bug 752340.  I can reproduce the crash locally fairly quickly, but with the patch in the other bug there's no crash after a couple of minutes.  Furthermore, when I add some assertions that check the underlying problem in bug 752340, the test case here asserts immediately without the patch, and not at all after a couple of minutes. (I haven't uploaded the assertion patch yet.)

Please reopen this bug if the patch doesn't fix it for you (or send mail to security@ if you aren't able to reopen the bug).  Thanks.