Closed
Bug 889808
Opened 11 years ago
Closed 11 years ago
Crash on heap with ParallelArray and jump to invalid memory
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 888470
People
(Reporter: decoder, Unassigned)
Details
(4 keywords)
The following testcase crashes on mozilla-central revision 4ffb23062b3b (threadsafe build, run with --fuzzing-safe --ion-eager): gczeal(2); (function(m) { return new ParallelArray([256], function(i) { return { valueOf: function() {}, y: i + ('captures: ') }; }, m); })("seq");
Reporter | ||
Comment 1•11 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0xf729c014 in ?? () (gdb) bt #0 0xf729c014 in ?? () #1 0xf65304e0 in ?? () #2 0x00000004 in ?? () #3 0x07ffffff in ?? () #4 0x00000040 in ?? () #5 0x00000000 in ?? () (gdb) x /i $pc => 0xf729c014: jmp *0x4(%edi) (gdb) info reg edi edi 0x320033 3276851 From the pointer I assume that that this could be a controllable jump, leading to code execution. Marking sec-critical.
Keywords: csec-wildptr,
sec-critical
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•