Closed Bug 1184014 Opened 9 years ago Closed 8 years ago

Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]

Categories

(Core :: Networking, defect)

41 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1262359
Tracking Status
firefox47 --- affected
firefox-esr45 --- affected

People

(Reporter: vincent.marnier, Unassigned)

Details

(4 keywords, Whiteboard: [necko-would-take])

Crash Data

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150610004004 Steps to reproduce: 1/ Generate a very very large file using MIME encoding 2/ Make the user download it 3/ Crash 100% of the times Actual results: Crashed the browser Expected results: Download the very very large file OR display an error message saying that the file is way too large
(In reply to Vincent Marnier from comment #0) > User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0 > Build ID: 20150610004004 > > Steps to reproduce: > > 1/ Generate a very very large file using MIME encoding > 2/ Make the user download it > 3/ Crash 100% of the times > > > Actual results: > > Crashed the browser > > > Expected results: > > Download the very very large file OR display an error message saying that > the file is way too large Since I cannot attach my POC, I highly invite you to download it following this link: https://mega.nz/#!iB5iWJAL!_DNl9Safbc_BxWRsiJ6lZXJ15shoq3BoOsW2Dv4tOoY Sorry for the double-post. Best regards, Vincent Marnier.
Can you provide a link to a crashreport? Also, can you expand on what you mean by "generate a very very large file" using MIME encoding? MIME does not "generate" anything...
Flags: needinfo?(vincent.marnier)
Hello, Sure, MIME does not generate anything, excuse my quite poor english. What I do is: 1/ Generate an URI this way: var uri = 'data:application/octet-stream,' + encodeURIComponent(y/*Very very large string*/); 2/ Generate a DOM element which is a link to the URI (<a href=uri>) 3/ Generate a click event on the link 4/ Crash. I see no option when in the bug tracker to generate a link, so I copied the report in pastebin, hope it helps: http://pastebin.com/YKEKiDF3 Best regards, Vincent Marnier.
Group: core-security
Severity: normal → critical
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Flags: needinfo?(vincent.marnier)
Keywords: crash, crashreportid
Product: Firefox → Core
Summary: Buffer overflow with MIME encoded URI → Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Version: 40 Branch → 41 Branch
Component: Untriaged → Networking
Flags: sec-bounty?
Whiteboard: sec-other
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-oom
Whiteboard: sec-other
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ] → [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ] [@ OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHand…
Whiteboard: [necko-would-take]
Crash volume for signature 'OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHandler::ParseURI': - nightly (version 50): 0 crash from 2016-06-06. - aurora (version 49): 0 crash from 2016-06-07. - beta (version 48): 0 crash from 2016-06-06. - release (version 47): 2822 crashes from 2016-05-31. - esr (version 45): 739 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 0 0 0 0 0 0 0 - release 419 457 438 420 419 377 122 - esr 91 66 82 66 86 80 76 Affected platforms: Windows, Mac OS X
Bug 1262359 fixed this. In the past 7 days there have been zero crashes with this signature in versions 48 and later.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.