Closed Bug 912594 Opened 11 years ago Closed 2 months ago

unchecked malloc call in js/src/dtoa.c

Tracking

()

Status:

RESOLVED WORKSFORME

People

(Reporter: sunfish, Unassigned)

Details

Dan Gohman [:sunfish]

Reporter

Description

•

11 years ago

Following up on Bug 910814, js_strtod_harder's JS_DTOA_ENOMEM error code is also never used. In fact, the err argument is just always set to zero.

dtoa.c used to have malloc checking code, and JS_DTOA_ENOMEM used to be hooked up to it, but it was removed in 222c29336422. The result is that the malloc calls within Balloc in dtoa.c are not checked. However, they are immediately dereferenced, so it appears unlikely that a failed malloc would do anything but crash with a null page dereference.

Nobody; OK to take it and work on it

Assignee

Updated

•

10 years ago

Assignee: general → nobody

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

Matthew Gaudet (he/him) [:mgaudet]

Comment 1

•

2 months ago

This is handled here: https://searchfox.org/mozilla-central/source/js/src/util/DoubleToString.cpp#43-51

Status: NEW → RESOLVED

Closed: 2 months ago

Resolution: --- → WORKSFORME

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

unchecked malloc call in js/src/dtoa.c

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: sunfish, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1