Closed
Bug 99667
Opened 23 years ago
Closed 23 years ago
Crash in ParseAtom()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: jst, Assigned: rogerl)
References
()
Details
Attachments
(2 files)
2.19 KB,
text/plain
|
Details | |
1.60 KB,
patch
|
Details | Diff | Splinter Review |
Loading the above url mozilla sometimes, not always, crashes in ParseAtom() in
the JS engine, the crash always seems to happen in the exact same place tho.
ParseAtom() is asked to parse the string "[", so |cp| points to the string "]"
and here's what happens:
switch(*cp) {
...
case '[' :
cp++; // step over the '[', |cp| now points to the null terminator
...
while ((c = *++cp) != ']') {
...
}
}
So |c = *++cp| steps past the null terminator and starts accessing memory beond
the end of the string.
Reporter | ||
Comment 1•23 years ago
|
||
Reporter | ||
Comment 2•23 years ago
|
||
Comment 3•23 years ago
|
||
Confirmed - I believe this is bug 98306, however -
*** This bug has been marked as a duplicate of 98306 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Comment 4•23 years ago
|
||
Marking Verified -
Now that bug 98306 has been fixed, the URL given above loads without crashing
in both trunk and 0.9.4 branch builds on WinNT, Mac 9.1, and Linux.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•