Closed Bug 64958 Opened 24 years ago Closed 24 years ago

JS_ClearScope array bounds write on unmutated native objects

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla0.8

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: crash, js1.5)

Attachments

(2 files)

because it blindly uses the shared prototype scope's map.nslots to count the number of slots in the unmutated object, which has only JS_INITIAL_NSLOTS slots until mutated. Thanks to ian.brown@printsoft.de for pointing this out in the news://news.mozilla.org/netscape.public.mozilla.jseng group. Patch coming up. /be
Status: NEW → ASSIGNED
Keywords: crash, js1.5, mozilla0.8
Summary: JS_ClearScope doesn't work on unmutated native objects → JS_ClearScope array bounds write on unmutated native objects
Target Milestone: --- → mozilla0.8
Attached patch proposed fix (deleted) — Splinter Review
Looking for quick review and approval. /be
Keywords: patch, review
I'll buy that. sr=jband
mccabe, can you r=? Thanks. /be
Severity: normal → major
Priority: -- → P1
r=shaver, it's Obviously Correct(tm).
Keywords: review
Fix checked in, thanks. /be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking Verified -
Status: RESOLVED → VERIFIED
Keywords: mozilla0.8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: