Closed Bug 1124835 Opened 6 years ago Closed 3 years ago

Iterator Freezes Firefox completely

Categories

(Core :: JavaScript Engine, defect)

35 Branch
x86_64
Windows 8.1
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1098412

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Details

(Keywords: csectype-dos)

Attachments

(1 file)

159 bytes, text/html
Details
Attached file repro.html
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20150108202552

Steps to reproduce:

Repro:

<script>
  var oIterator = window.open("about:blank").Iterator;
  oIterator.prototype.next = function () { return ""; }
  for(s in oIterator(1));
</script>

Marking as security out of caution because the below two issues may be related, one of which is a security issue. I don't know enough about the code to make sure it's not.

https://bugzilla.mozilla.org/show_bug.cgi?id=354750
https://bugzilla.mozilla.org/show_bug.cgi?id=354499


Actual results:

100% CPU usage, no "Page(s) unresponsive" dialog, Firefox completely unresponsive.


Expected results:

Not sure - but at the very least a "Page(s) unresponsive" dialog should pop up at some point.
Product: Firefox → Core
We're triaging and trying to assess or rate. Is this a simple DoS? What happens if you target a window that is chrome privileged? Can you override the Iterator there?
Component: Untriaged → JavaScript Engine
This seems like a simple DoS to me; it should be popping up the slow script dialog, I'd think.

> What happens if you target a window that is chrome privileged?

Then you can't get its .Iterator.
(In reply to Boris Zbarsky [:bz] from comment #2)
> This seems like a simple DoS to me; it should be popping up the slow script
> dialog, I'd think.
You'd think, but there is no such dialog :(
Right, the lack of the dialog is the reason this is still open.  ;)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: core-security
Keywords: csectype-dos
Iterator was removed as part of bug 1098412.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1098412
You need to log in before you can comment on or make changes to this bug.