Closed Bug 989665 Opened 10 years ago Closed 10 years ago

Worker console: "Assertion failure: strings->Length() <= aData"

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla31
Tracking Flags:
Tracking Status
firefox30 --- unaffected
firefox31 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase
127 bytes, text/html
Details
crash.patch
2.26 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file testcase 
Assertion failure: strings->Length() <= aData, at dom/base/Console.cpp:77
Bug 989666 has a related testcase that asserts elsewhere.
Attached patch crash.patchSplinter Review 

        Attachment #8399049 -
        Flags: review?(bzbarsky)

    
    

    
  
This doesn't look s-s if that patch is all that's needed here.

    
    

    
  
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

Er, yes.

        Attachment #8399049 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard. just debug builds.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Almost.

Which older supported branches are affected by this flaw?
0

If not all supported branches, which bug introduced the flaw?
bug 965860

How likely is this patch to cause regressions; how much testing does it need?
There is a mochitest included in the patch.

        Attachment #8399049 -
        Flags: sec-approval?

    
    

    
  
This can't be approved for checkin without a security rating. Do you have a suggested rating here? How exploitable is this?

By "0" branches being affected, do you mean that this is entirely Trunk only? If that's the case, it doesn't need sec-approval and can just be checked in (see https://wiki.mozilla.org/Security/Bug_Approval_Process for details).

    
    

    
  
(In reply to Al Billings [:abillings] from comment #6)
> This can't be approved for checkin without a security rating. Do you have a
> suggested rating here? How exploitable is this?

I don't think it's exploitable at all. It was a MOZ_ASSERT used on debug builds only.

> 
> By "0" branches being affected, do you mean that this is entirely Trunk
> only? If that's the case, it doesn't need sec-approval and can just be
> checked in (see https://wiki.mozilla.org/Security/Bug_Approval_Process for
> details).

Right. I think Console API in C++ is still in trunk only.
Keywords: checkin-needed
OS: Mac OS X → All
Hardware: x86_64 → All

    
    

    
  
landed https://hg.mozilla.org/mozilla-central/rev/61b1f28c3c16
Status: NEW → RESOLVED
Closed: 10 years ago

          status-firefox31:
          --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla31

    
    

    
  
Comment on attachment 8399049 [details] [diff] [review]
crash.patch

Clearing sec-approval flag.

        Attachment #8399049 -
        Flags: sec-approval?

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: