Closed Bug 989665 Opened 6 years ago Closed 6 years ago

Worker console: "Assertion failure: strings->Length() <= aData"

Categories

(Core :: DOM: Workers, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla31
Tracking Status
firefox30 --- unaffected
firefox31 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file testcase
Assertion failure: strings->Length() <= aData, at dom/base/Console.cpp:77
Bug 989666 has a related testcase that asserts elsewhere.
Attached patch crash.patchSplinter Review
Attachment #8399049 - Flags: review?(bzbarsky)
This doesn't look s-s if that patch is all that's needed here.
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

Er, yes.
Attachment #8399049 - Flags: review?(bzbarsky) → review+
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard. just debug builds.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Almost.

Which older supported branches are affected by this flaw?
0

If not all supported branches, which bug introduced the flaw?
bug 965860

How likely is this patch to cause regressions; how much testing does it need?
There is a mochitest included in the patch.
Attachment #8399049 - Flags: sec-approval?
This can't be approved for checkin without a security rating. Do you have a suggested rating here? How exploitable is this?

By "0" branches being affected, do you mean that this is entirely Trunk only? If that's the case, it doesn't need sec-approval and can just be checked in (see https://wiki.mozilla.org/Security/Bug_Approval_Process for details).
(In reply to Al Billings [:abillings] from comment #6)
> This can't be approved for checkin without a security rating. Do you have a
> suggested rating here? How exploitable is this?

I don't think it's exploitable at all. It was a MOZ_ASSERT used on debug builds only.

> 
> By "0" branches being affected, do you mean that this is entirely Trunk
> only? If that's the case, it doesn't need sec-approval and can just be
> checked in (see https://wiki.mozilla.org/Security/Bug_Approval_Process for
> details).

Right. I think Console API in C++ is still in trunk only.
Keywords: checkin-needed
OS: Mac OS X → All
Hardware: x86_64 → All
landed https://hg.mozilla.org/mozilla-central/rev/61b1f28c3c16
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Duplicate of this bug: 989666
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

Clearing sec-approval flag.
Attachment #8399049 - Flags: sec-approval?
Blocks: 1183926
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.