[INFER] Check bounds in shell trap() function, bug 658805.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 21 May 2011 22:37:54 -0700
changeset 75096 d37ec0c318d605cc6e86d6aaa72a91723f4e069a
parent 75095 9e085d869d9b2f1e5cc839cbd523465ec8298217
child 75097 7c4d5e4cd9cfe4c72b8cab4eed2b7c25e49b40f0
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs658805
milestone6.0a1
[INFER] Check bounds in shell trap() function, bug 658805.
js/src/jsdbgapi.cpp
js/src/shell/js.cpp
--- a/js/src/jsdbgapi.cpp
+++ b/js/src/jsdbgapi.cpp
@@ -335,16 +335,18 @@ js_UntrapScriptCode(JSContext *cx, JSScr
     DBG_UNLOCK(rt);
     return code;
 }
 
 JS_PUBLIC_API(JSBool)
 JS_SetTrap(JSContext *cx, JSScript *script, jsbytecode *pc,
            JSTrapHandler handler, jsval closure)
 {
+    JS_ASSERT(uint32(pc - script->code) < script->length);
+
     JSTrap *junk, *trap, *twin;
     JSRuntime *rt;
     uint32 sample;
 
     if (!CheckDebugMode(cx))
         return JS_FALSE;
 
     JS_ASSERT((JSOp) *pc != JSOP_TRAP);
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1898,16 +1898,20 @@ Trap(JSContext *cx, uintN argc, jsval *v
     }
     argc--;
     str = JS_ValueToString(cx, argv[argc]);
     if (!str)
         return JS_FALSE;
     argv[argc] = STRING_TO_JSVAL(str);
     if (!GetTrapArgs(cx, argc, argv, &script, &i))
         return JS_FALSE;
+    if (uint32(i) >= script->length) {
+        JS_ReportErrorNumber(cx, my_GetErrorMessage, NULL, JSSMSG_TRAP_USAGE);
+        return JS_FALSE;
+    }
     JS_SET_RVAL(cx, vp, JSVAL_VOID);
     return JS_SetTrap(cx, script, script->code + i, TrapHandler, STRING_TO_JSVAL(str));
 }
 
 static JSBool
 Untrap(JSContext *cx, uintN argc, jsval *vp)
 {
     JSScript *script;