Closed Bug 965904 Opened 11 years ago Closed 11 years ago

Fix array-related rooting hazards in the browser

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: jonco, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, regression, sec-high)

Attachments

(1 file)

fix-unrooted-arrays
7.50 KB, patch
terrence
: review+
Details | Diff | Splinter Review
Looking through the new unsafe reference warnings produced in the wake of bug 963738 found 6 new rooting hazards. Fixed by using AutoValueVector to hold and root the contents of the arrays.
Attachment #8368059 - Flags: review?(terrence)
Exact rooting is trunk-only.
status-firefox28: --- → unaffected
status-firefox29: --- → affected
Keywords: csectype-uaf, regression, sec-high
Comment on attachment 8368059 [details] [diff] [review] fix-unrooted-arrays Review of attachment 8368059 [details] [diff] [review]: ----------------------------------------------------------------- Great! r=me. Lets get this in as-is right now and do a follow-up to remove the resize and use inline slots once we've exposed that template parameter.
Attachment #8368059 - Flags: review?(terrence) → review+
Whiteboard: [leave open
Followup is happening in bug 965830, so closing this as fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [leave open
status-firefox29: affectedfixed
Target Milestone: --- → mozilla29
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: