The following testcase asserts on mozilla-central revision 801ba75ac563 (no options required): deserialize(serialize(ArrayBuffer(0x7ffffffa)));
An opt-build is throwing "InternalError: size and count too large" so it might be that the condition is handled after the assertion. Still marking s-s until properly investigated to make sure this is the case.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 92092:7a601537cb88 user: Tom Schuster date: Sat Jan 14 09:43:00 2012 -0800 summary: Bug 711843 - Update JSAPI for typed arrays, remove uses of jstypedarray.h outside the engine [r=Waldo,bz,Ms2ger,bholley,bjacob,philikon,evilpie,bent,yourmama] [a=mfinkle thanks to gkw] This iteration took 52.258 seconds to run.
Tom, can you take a look at this and check if it's a security problem?
So what happens here is that we happily seralize an ArrayBuffer that is not going to fit into an Uint8Array (at least that's what we try to assert). I think this comes down to allowing the construction of pretty huge ArrayBuffers compared to eg. Int32Array. We should have a lower limit there. And an extra check for the result size of the structured cloning for good measure in serialize. We never actually construct the very huge Uint8Array, so we should be safe.
Opening based on comment 4.
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b842d26dd5f0).
It's likely bug 867329 fixed this, but I don't have time to double-check.
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #8) > It's likely bug 867329 fixed this, but I don't have time to double-check. Thanks, double checking now =)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 130528:06962a458da3 user: Jeff Walden date: Tue Apr 30 18:15:15 2013 -0700 summary: Bug 867329 - Make JS_NewUint8Array and friends accept any uint32_t as length and throw if the length is too big -- not assert when it's too big. r=sfink This iteration took 321.514 seconds to run.
That sounds like a reasonable fix to me :)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 867329
You need to log in before you can comment on or make changes to this bug.