Closed Bug 948187 Opened 11 years ago Closed 11 years ago

Handle OOM in NewPropertyIteratorObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 948188

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

js-NewPropertyIteratorObject-oom.patch
1.12 KB, patch
Details | Diff | Splinter Review 
In NewPropertyIteratorObject we seem to be calling NewBuiltinClassInstance without checking its return value, although it's fallible:

>     return &NewBuiltinClassInstance(cx, &PropertyIteratorObject::class_)->as<PropertyIteratorObject>();


The attached patch checks the return value first and returns NULL on failure. This fixes an OOM crash bug for me that the fuzzer keeps hitting.
Nice.. now we have two bugs. Horray Bugzilla for messing the forms up.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: