Closed
Bug 1135135
Opened 9 years ago
Closed 9 years ago
crash in OOM | large | NS_ABORT_OOM(unsigned long) | nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity(unsigned long, unsigned long) | ...
Categories
(Toolkit :: Safe Browsing, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1134858
People
(Reporter: keeler, Unassigned)
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-fd819af6-954f-432f-bd1a-ade3b2150219. ============================================================= Yesterday I started experiencing extremely reliable crashes with my regular profile that I couldn't reproduce on a clean profile. Looking at the crash reports, here's the relevant stack: 0 NS_ABORT_OOM(unsigned long) xpcom/base/nsDebugImpl.cpp 1 nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity(unsigned long, unsigned long) xpcom/glue/nsTArray.h 2 nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity(unsigned long, unsigned long) xpcom/glue/nsTArray-inl.h 3 mozilla::safebrowsing::ChunkSet::Set(unsigned int) xpcom/glue/nsTArray.h 4 mozilla::safebrowsing::ProtocolParser::ProcessExpirations(nsCString const&) toolkit/components/url-classifier/HashStore.h 5 mozilla::safebrowsing::ProtocolParser::ProcessControl(bool*) toolkit/components/url-classifier/ProtocolParser.cpp 6 mozilla::safebrowsing::ProtocolParser::AppendStream(nsACString_internal const&) toolkit/components/url-classifier/ProtocolParser.cpp At a glance, it looks like we're parsing some integer values from external input that we then try to use to set the length of an nsTArray. If that value is very large, we'll obviously fail to allocate the memory and crash. More details at https://crash-stats.mozilla.com/report/index/fd819af6-954f-432f-bd1a-ade3b2150219
You need to log in
before you can comment on or make changes to this bug.
Description
•