Iterator Freezes Firefox completely

RESOLVED DUPLICATE of bug 1098412

Status

()

RESOLVED DUPLICATE of bug 1098412
4 years ago
9 months ago

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Tracking

({csectype-dos})

35 Branch
x86_64
Windows 8.1
csectype-dos
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

159 bytes, text/html
Details
(Reporter)

Description

4 years ago
Created attachment 8553285 [details]
repro.html

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20150108202552

Steps to reproduce:

Repro:

<script>
  var oIterator = window.open("about:blank").Iterator;
  oIterator.prototype.next = function () { return ""; }
  for(s in oIterator(1));
</script>

Marking as security out of caution because the below two issues may be related, one of which is a security issue. I don't know enough about the code to make sure it's not.

https://bugzilla.mozilla.org/show_bug.cgi?id=354750
https://bugzilla.mozilla.org/show_bug.cgi?id=354499


Actual results:

100% CPU usage, no "Page(s) unresponsive" dialog, Firefox completely unresponsive.


Expected results:

Not sure - but at the very least a "Page(s) unresponsive" dialog should pop up at some point.

Updated

4 years ago
Component: Untriaged → Untriaged
Product: Firefox → Core
We're triaging and trying to assess or rate. Is this a simple DoS? What happens if you target a window that is chrome privileged? Can you override the Iterator there?
Component: Untriaged → JavaScript Engine
This seems like a simple DoS to me; it should be popping up the slow script dialog, I'd think.

> What happens if you target a window that is chrome privileged?

Then you can't get its .Iterator.
(Reporter)

Comment 3

4 years ago
(In reply to Boris Zbarsky [:bz] from comment #2)
> This seems like a simple DoS to me; it should be popping up the slow script
> dialog, I'd think.
You'd think, but there is no such dialog :(
Right, the lack of the dialog is the reason this is still open.  ;)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: core-security
Keywords: csectype-dos
Iterator was removed as part of bug 1098412.
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1098412
You need to log in before you can comment on or make changes to this bug.