Closed Bug 99667 Opened 23 years ago Closed 23 years ago

Crash in ParseAtom()

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 2000
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 98306

People

(Reporter: jst, Assigned: rogerl)

References

()

Details

Attachments

(2 files)

Loading the above url mozilla sometimes, not always, crashes in ParseAtom() in the JS engine, the crash always seems to happen in the exact same place tho. ParseAtom() is asked to parse the string "[", so |cp| points to the string "]" and here's what happens: switch(*cp) { ... case '[' : cp++; // step over the '[', |cp| now points to the null terminator ... while ((c = *++cp) != ']') { ... } } So |c = *++cp| steps past the null terminator and starts accessing memory beond the end of the string.
Attached file Offending JS file.
Attached patch Proposed fix.Splinter Review
Confirmed - I believe this is bug 98306, however - *** This bug has been marked as a duplicate of 98306 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Marking Verified - Now that bug 98306 has been fixed, the URL given above loads without crashing in both trunk and 0.9.4 branch builds on WinNT, Mac 9.1, and Linux.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: