Bug 1479429 - Add a range check for the argument to Debugger.Script.prototype.get{Predecessor,Successor}Offsets. r=bhackett
authorJason Orendorff <jorendorff@mozilla.com>
Thu, 09 Aug 2018 15:29:37 -0500
changeset 481198 d7298a19ae439cd34380166828584051c40a3cb3
parent 481197 366a2aa802b5a7bd06328a7162f10292cbde3411
child 481199 54934de382c5b557678a9c3b2b25e7268b6fbeea
push id232
push userfmarier@mozilla.com
push dateWed, 05 Sep 2018 20:45:54 +0000
reviewersbhackett
bugs1479429
milestone63.0a1
Bug 1479429 - Add a range check for the argument to Debugger.Script.prototype.get{Predecessor,Successor}Offsets. r=bhackett
js/src/jit-test/tests/debug/bug1479429.js
js/src/vm/Debugger.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1479429.js
@@ -0,0 +1,15 @@
+// Bug 1479429 - Methods throw on out-of-range bytecode offsets.
+
+load(libdir + "asserts.js");
+
+var g = newGlobal();
+var dbg = Debugger(g);
+dbg.onDebuggerStatement = function(frame) {
+    assertThrowsInstanceOf(
+        () => frame.script.getPredecessorOffsets(0x400000),
+        TypeError);
+    assertThrowsInstanceOf(
+        () => frame.script.getSuccessorOffsets(-1),
+        TypeError);
+}
+g.eval("debugger;");
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -6099,18 +6099,23 @@ class DebuggerScriptGetSuccessorOrPredec
     bool successor_;
     MutableHandleObject result_;
 
   public:
     DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher(JSContext* cx, size_t offset,
                                                           bool successor,
                                                           MutableHandleObject result)
       : cx_(cx), offset_(offset), successor_(successor), result_(result) { }
+
     using ReturnType = bool;
+
     ReturnType match(HandleScript script) {
+        if (!EnsureScriptOffsetIsValid(cx_, script, offset_))
+            return false;
+
         PcVector adjacent;
         if (successor_) {
             if (!GetSuccessorBytecodes(script->code() + offset_, adjacent)) {
                 ReportOutOfMemory(cx_);
                 return false;
             }
         } else {
             if (!GetPredecessorBytecodes(script, script->code() + offset_, adjacent)) {
@@ -6124,22 +6129,24 @@ class DebuggerScriptGetSuccessorOrPredec
             return false;
 
         for (jsbytecode* pc : adjacent) {
             if (!NewbornArrayPush(cx_, result_, NumberValue(pc - script->code())))
                 return false;
         }
         return true;
     }
+
     ReturnType match(Handle<LazyScript*> lazyScript) {
         RootedScript script(cx_, DelazifyScript(cx_, lazyScript));
         if (!script)
             return false;
         return match(script);
     }
+
     ReturnType match(Handle<WasmInstanceObject*> instance) {
         JS_ReportErrorASCII(cx_, "getSuccessorOrPredecessorOffsets NYI on wasm instances");
         return false;
     }
 };
 
 static bool
 DebuggerScript_getSuccessorOrPredecessorOffsets(JSContext* cx, unsigned argc, Value* vp,