1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/tests/js1_5/extensions/regress-390597.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,42 @@
1.4 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.6 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.8 +
1.9 +//-----------------------------------------------------------------------------
1.10 +var BUGNUMBER = 390597;
1.11 +var summary = 'watch point + eval-as-setter allows access to dead JSStackFrame';
1.12 +var actual = 'No Crash';
1.13 +var expect = 'No Crash';
1.14 +
1.15 +
1.16 +//-----------------------------------------------------------------------------
1.17 +test();
1.18 +//-----------------------------------------------------------------------------
1.19 +
1.20 +function test()
1.21 +{
1.22 + enterFunc ('test');
1.23 + printBugNumber(BUGNUMBER);
1.24 + printStatus (summary);
1.25 +
1.26 + function exploit() {
1.27 + try
1.28 + {
1.29 + var obj = this, args = null;
1.30 + obj.__defineSetter__("evil", eval);
1.31 + obj.watch("evil", function() { return "args = arguments;"; });
1.32 + obj.evil = null;
1.33 + eval("print(args[0]);");
1.34 + }
1.35 + catch(ex)
1.36 + {
1.37 + print('Caught ' + ex);
1.38 + }
1.39 + }
1.40 + exploit();
1.41 +
1.42 + reportCompare(expect, actual, summary);
1.43 +
1.44 + exitFunc ('test');
1.45 +}
