|
Brought to you by:
Suppliers of:
|
|
|
| |
| Improper variable checking can cause Gecko based browsers to crash when handling PAC scripts. |
| |
Credit:
The information has been provided by Juha-Matti Laurio.
The vendor bug report can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=302100
|
| |
Vulnerable Systems:
* Netscape Browser version 8.0.3.3
* Mozilla Firefox version 1.0.6
Immune Systems:
* Mozilla Firefox version 1.0.7
When handling a PAC file Gecko based browsers do not validate variables properly. PAC files that contain a NULL character will cause the browser to crash.
Patch:
Index: mozilla/js/src/jsobj.c
-==================================================================
RCS file: /cvsroot/mozilla/js/src/jsobj.c,v
retrieving revision 3.204
diff -u -r3.204 mozilla/js/src/jsobj.c
--- mozilla/js/src/jsobj.c
+++ mozilla/js/src/jsobj.c
@@ -1128,7 +1128,8 @@
rt = cx->runtime;
if (rt->findObjectPrincipals) {
scopePrincipals = rt->findObjectPrincipals(cx, scopeobj);
- if (!principals->subsume(principals, scopePrincipals)) {
+ if (scopePrincipals &&
+ !principals->subsume(principals, scopePrincipals)) {
JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
JSMSG_BAD_INDIRECT_CALL, js_eval_str);
return JS_FALSE;
Index: mozilla/js/src/jsscript.c
-==================================================================
RCS file: /cvsroot/mozilla/js/src/jsscript.c,v
retrieving revision 3.78
diff -u -r3.78 mozilla/js/src/jsscript.c
--- mozilla/js/src/jsscript.c
+++ mozilla/js/src/jsscript.c
@@ -306,7 +306,8 @@
rt = cx->runtime;
if (rt->findObjectPrincipals) {
scopePrincipals = rt->findObjectPrincipals(cx, scopeobj);
- if (!principals->subsume(principals, scopePrincipals)) {
+ if (scopePrincipals &&
+ !principals->subsume(principals, scopePrincipals)) {
JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
JSMSG_BAD_INDIRECT_CALL,
"Script.prototype.exec");
|
|
|
|
|
