Bug 1596117: Fail early on bad atom table indices in XDR decoding r=tcampbell
authorIain Ireland <iireland@mozilla.com>
Thu, 14 Nov 2019 18:49:18 +0000
changeset 502046 f6825602e27a50f03c9c01aebdc8b6bb81bea6f0
parent 502045 11ce58dd19022bd0d8c7f4da372b6f1134623474
child 502047 0a08184c5efec65571ba403e03bc9b983a436caf
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1596117
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1596117: Fail early on bad atom table indices in XDR decoding r=tcampbell Before we read an atom from the atom table, verify that the index is valid. Differential Revision: https://phabricator.services.mozilla.com/D53060
js/src/vm/JSAtom.cpp
--- a/js/src/vm/JSAtom.cpp
+++ b/js/src/vm/JSAtom.cpp
@@ -1254,22 +1254,21 @@ XDRResult js::XDRAtom(XDRState<mode>* xd
     MOZ_TRY(XDRAtomIndex(xdr, &atomIndex));
     return Ok();
   }
 
   MOZ_ASSERT(mode == XDR_DECODE && xdr->hasAtomTable());
 
   uint32_t atomIndex;
   MOZ_TRY(XDRAtomIndex(xdr, &atomIndex));
+  if (atomIndex >= xdr->atomTable().length()) {
+    return xdr->fail(JS::TranscodeResult_Failure_BadDecode);
+  }
   JSAtom* atom = xdr->atomTable()[atomIndex];
 
-  if (!atom) {
-    return xdr->fail(JS::TranscodeResult_Throw);
-  }
-
   atomp.set(atom);
   return Ok();
 }
 
 template XDRResult js::XDRAtom(XDRState<XDR_DECODE>* xdr,
                                MutableHandleAtom atomp);
 
 template XDRResult js::XDRAtom(XDRState<XDR_ENCODE>* xdr,