Closed Bug 894956 Opened 11 years ago Closed 11 years ago
Use-After-Free with JS::Compile
This is being discussed in another bug, but I'm pretty sure it's s-s. So I'm filing a security bug here. Basically, asm.js does a shallow copy of CompileOptions, and sticks it on the heap (see bug 892643 comment 5). But CompileOptions has a caller-allocated filename char*. And while there's no explicitly-documented contract of its lifetime, the only sane thing to assume is that it's stack-scoped along with the CompileOptions struct. So when we stick a copy of CompileOptions on the heap, we end up with a pointer to soon-to-be-dead memory, which is likely to cause a use-after-free. This is blocking gabor in bug 877673.
(though actually we may never write to it, so it might not be sec-critical. But either way this is simple enough that we should just fix it pronto).
Fix should land today.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.