Closed
Bug 894956
Opened 11 years ago
Closed 11 years ago
Use-After-Free with JS::CompileOptions
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 893684
People
(Reporter: bholley, Unassigned)
References
Details
(Keywords: sec-critical)
This is being discussed in another bug, but I'm pretty sure it's s-s. So I'm filing a security bug here. Basically, asm.js does a shallow copy of CompileOptions, and sticks it on the heap (see bug 892643 comment 5). But CompileOptions has a caller-allocated filename char*. And while there's no explicitly-documented contract of its lifetime, the only sane thing to assume is that it's stack-scoped along with the CompileOptions struct. So when we stick a copy of CompileOptions on the heap, we end up with a pointer to soon-to-be-dead memory, which is likely to cause a use-after-free. This is blocking gabor in bug 877673.
Reporter | ||
Comment 1•11 years ago
|
||
(though actually we may never write to it, so it might not be sec-critical. But either way this is simple enough that we should just fix it pronto).
Comment 2•11 years ago
|
||
Fix should land today.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•