Closed Bug 99667 Opened 23 years ago Closed 23 years ago

Crash in ParseAtom()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 98306

People

(Reporter: jst, Assigned: rogerl)

References

(
URL
)

Details

Attachments

(2 files)

Offending JS file.
2.19 KB, text/plain
Details
Proposed fix.
1.60 KB, patch
Details | Diff | Splinter Review 
Loading the above url mozilla sometimes, not always, crashes in ParseAtom() in
the JS engine, the crash always seems to happen in the exact same place tho.

ParseAtom() is asked to parse the string "[", so |cp| points to the string "]"
and here's what happens:

  switch(*cp) {
    ...
    case '[' :
      cp++; // step over the '[', |cp| now points to the null terminator
      ...
      while ((c = *++cp) != ']') {
        ...
      }
  }

So |c = *++cp| steps past the null terminator and starts accessing memory beond
the end of the string.
Attached file Offending JS file. 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fix.Splinter Review
      

    


  

    
    

    
  
Confirmed - I believe this is bug 98306, however -

*** This bug has been marked as a duplicate of 98306 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE

    
    

    
  
Marking Verified - 

Now that bug 98306 has been fixed, the URL given above loads without crashing
in both trunk and 0.9.4 branch builds on WinNT, Mac 9.1, and Linux.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: