[SERVER-20319] Crash on manipulating MinKey and MaxKey's singleton Created: 08/Sep/15 Updated: 07/Oct/15 Resolved: 18/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | 3.1.7 |
| Fix Version/s: | 3.1.9 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Mira Carey |
| Resolution: | Done | Votes: | 0 |
| Labels: | spidermonkey | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible | |
| Operating System: | ALL | |
| Steps To Reproduce: | Run
|
|
| Sprint: | Platform 9 (09/18/15) | |
| Participants: |
| Description |
|
It appears that the use of JS::RootedValue::toObjectOrNull can have unpredictable results when the value in question is not an object. MinKeyInfo::call and MaxKeyInfo::call use this function on a value in the prototype without checking the types. If the user has altered the value on the prototype, the system may fail with a stacktrace. |
| Comments |
| Comment by Githook User [ 18/Sep/15 ] |
|
Author: {u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}Message: Verify that the type of the Min/MaxKey singleton is actually a |