Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.1.9
Affects Version/s: 3.1.7
Component/s: JavaScript
Labels:
- spidermonkey

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:
Hide

Run

db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
Show
Run db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
Sprint:
Platform 9 (09/18/15)
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

It appears that the use of JS::RootedValue::toObjectOrNull can have unpredictable results when the value in question is not an object. MinKeyInfo::call and MaxKeyInfo::call use this function on a value in the prototype without checking the types. If the user has altered the value on the prototype, the system may fail with a stacktrace.

Assignee:: Mira Carey
Reporter:: Spencer Jackson
Participants:: Githook User, Mira Carey, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Sep 08 2015 09:23:57 PM UTC
Updated:: Oct 07 2015 09:35:58 PM UTC
Resolved:: Sep 18 2015 02:55:18 PM UTC
Confidence Status Last Update:: 15/Sep/15 3:47 PM

Details

Description

Attachments

Forms

Activity

People

Dates