Closed
Bug 64958
Opened 24 years ago
Closed 24 years ago
JS_ClearScope array bounds write on unmutated native objects
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla0.8
People
(Reporter: brendan, Assigned: brendan)
Details
(Keywords: crash, js1.5)
Attachments
(2 files)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
Details | Diff | Splinter Review |
because it blindly uses the shared prototype scope's map.nslots to count the
number of slots in the unmutated object, which has only JS_INITIAL_NSLOTS slots
until mutated. Thanks to ian.brown@printsoft.de for pointing this out in the
news://news.mozilla.org/netscape.public.mozilla.jseng group.
Patch coming up.
/be
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Summary: JS_ClearScope doesn't work on unmutated native objects → JS_ClearScope array bounds write on unmutated native objects
Target Milestone: --- → mozilla0.8
Assignee | ||
Comment 1•24 years ago
|
||
Assignee | ||
Comment 2•24 years ago
|
||
Looking for quick review and approval.
/be
Assignee | ||
Comment 3•24 years ago
|
||
Comment 4•24 years ago
|
||
I'll buy that. sr=jband
Assignee | ||
Comment 5•24 years ago
|
||
mccabe, can you r=? Thanks.
/be
Severity: normal → major
Priority: -- → P1
r=shaver, it's Obviously Correct(tm).
Keywords: review
Assignee | ||
Comment 7•24 years ago
|
||
Fix checked in, thanks.
/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Updated•24 years ago
|
Keywords: mozilla0.8
You need to log in
before you can comment on or make changes to this bug.
Description
•