Bug 1479429 - Add a range check for the argument to Debugger.Script.prototype.get{Predecessor,Successor}Offsets. r=bhackett
authorJason Orendorff <jorendorff@mozilla.com>
Thu, 09 Aug 2018 15:29:37 -0500
changeset 488015 d7298a19ae439cd34380166828584051c40a3cb3
parent 488014 366a2aa802b5a7bd06328a7162f10292cbde3411
child 488016 54934de382c5b557678a9c3b2b25e7268b6fbeea
push id9719
push userffxbld-merge
push dateFri, 24 Aug 2018 17:49:46 +0000
treeherdermozilla-beta@719ec98fba77 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1479429
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1479429 - Add a range check for the argument to Debugger.Script.prototype.get{Predecessor,Successor}Offsets. r=bhackett
js/src/jit-test/tests/debug/bug1479429.js
js/src/vm/Debugger.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1479429.js
@@ -0,0 +1,15 @@
+// Bug 1479429 - Methods throw on out-of-range bytecode offsets.
+
+load(libdir + "asserts.js");
+
+var g = newGlobal();
+var dbg = Debugger(g);
+dbg.onDebuggerStatement = function(frame) {
+    assertThrowsInstanceOf(
+        () => frame.script.getPredecessorOffsets(0x400000),
+        TypeError);
+    assertThrowsInstanceOf(
+        () => frame.script.getSuccessorOffsets(-1),
+        TypeError);
+}
+g.eval("debugger;");
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -6099,18 +6099,23 @@ class DebuggerScriptGetSuccessorOrPredec
     bool successor_;
     MutableHandleObject result_;
 
   public:
     DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher(JSContext* cx, size_t offset,
                                                           bool successor,
                                                           MutableHandleObject result)
       : cx_(cx), offset_(offset), successor_(successor), result_(result) { }
+
     using ReturnType = bool;
+
     ReturnType match(HandleScript script) {
+        if (!EnsureScriptOffsetIsValid(cx_, script, offset_))
+            return false;
+
         PcVector adjacent;
         if (successor_) {
             if (!GetSuccessorBytecodes(script->code() + offset_, adjacent)) {
                 ReportOutOfMemory(cx_);
                 return false;
             }
         } else {
             if (!GetPredecessorBytecodes(script, script->code() + offset_, adjacent)) {
@@ -6124,22 +6129,24 @@ class DebuggerScriptGetSuccessorOrPredec
             return false;
 
         for (jsbytecode* pc : adjacent) {
             if (!NewbornArrayPush(cx_, result_, NumberValue(pc - script->code())))
                 return false;
         }
         return true;
     }
+
     ReturnType match(Handle<LazyScript*> lazyScript) {
         RootedScript script(cx_, DelazifyScript(cx_, lazyScript));
         if (!script)
             return false;
         return match(script);
     }
+
     ReturnType match(Handle<WasmInstanceObject*> instance) {
         JS_ReportErrorASCII(cx_, "getSuccessorOrPredecessorOffsets NYI on wasm instances");
         return false;
     }
 };
 
 static bool
 DebuggerScript_getSuccessorOrPredecessorOffsets(JSContext* cx, unsigned argc, Value* vp,