Closed Bug 698139 Opened 13 years ago Closed 13 years ago

[meta] Dense array overflows

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: terrence, Assigned: terrence)

References

Details

(Whiteboard: [sg:nse meta])

Terrence Cole [:terrence]

Assignee

Description

•

13 years ago

I found at least one potentially exploitable overflow in InitArrayElements, and I think several others that I am in the process of understanding.

Terrence Cole [:terrence]

Assignee

Updated

•

13 years ago

Depends on: 698140

Johnny Stenback (:jst)

Updated

•

13 years ago

Whiteboard: [sg:nse meta]

Terrence Cole [:terrence]

Assignee

Updated

•

13 years ago

Depends on: 699674

Terrence Cole [:terrence]

Assignee

Comment 1

•

13 years ago

I was missing a core assumption of the DenseArray paths: DenseArray size is int32, not uint32. The code looks much safer with this knowledge.

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → INVALID

Daniel Veditz [:dveditz]

Updated

•

12 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[meta] Dense array overflows

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: terrence, Assigned: terrence)

References

Details

(Whiteboard: [sg:nse meta])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Comment 1

Updated