Closed
Bug 1184014
Opened 9 years ago
Closed 8 years ago
Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1262359
People
(Reporter: vincent.marnier, Unassigned)
Details
(4 keywords, Whiteboard: [necko-would-take])
Crash Data
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150610004004
Steps to reproduce:
1/ Generate a very very large file using MIME encoding
2/ Make the user download it
3/ Crash 100% of the times
Actual results:
Crashed the browser
Expected results:
Download the very very large file OR display an error message saying that the file is way too large
Reporter | ||
Comment 1•9 years ago
|
||
(In reply to Vincent Marnier from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
> Build ID: 20150610004004
>
> Steps to reproduce:
>
> 1/ Generate a very very large file using MIME encoding
> 2/ Make the user download it
> 3/ Crash 100% of the times
>
>
> Actual results:
>
> Crashed the browser
>
>
> Expected results:
>
> Download the very very large file OR display an error message saying that
> the file is way too large
Since I cannot attach my POC, I highly invite you to download it following this link: https://mega.nz/#!iB5iWJAL!_DNl9Safbc_BxWRsiJ6lZXJ15shoq3BoOsW2Dv4tOoY
Sorry for the double-post.
Best regards,
Vincent Marnier.
Comment 2•9 years ago
|
||
Can you provide a link to a crashreport? Also, can you expand on what you mean by "generate a very very large file" using MIME encoding? MIME does not "generate" anything...
Flags: needinfo?(vincent.marnier)
Reporter | ||
Comment 3•9 years ago
|
||
Hello,
Sure, MIME does not generate anything, excuse my quite poor english.
What I do is:
1/ Generate an URI this way:
var uri = 'data:application/octet-stream,' + encodeURIComponent(y/*Very very large string*/);
2/ Generate a DOM element which is a link to the URI (<a href=uri>)
3/ Generate a click event on the link
4/ Crash.
I see no option when in the bug tracker to generate a link, so I copied the report in pastebin, hope it helps: http://pastebin.com/YKEKiDF3
Best regards,
Vincent Marnier.
Comment 4•9 years ago
|
||
This is a safe OOM crash, so not sec-sensitive.
https://crash-stats.mozilla.com/report/index/577c6ce4-74bf-41aa-a74f-f7a742150715
Group: core-security
Severity: normal → critical
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Flags: needinfo?(vincent.marnier)
Keywords: crash,
crashreportid
Product: Firefox → Core
Summary: Buffer overflow with MIME encoded URI → Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Version: 40 Branch → 41 Branch
Updated•9 years ago
|
Component: Untriaged → Networking
Updated•9 years ago
|
Flags: sec-bounty?
Updated•9 years ago
|
Whiteboard: sec-other
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-oom
Whiteboard: sec-other
Updated•9 years ago
|
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ] → [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
[@ OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHand…
Updated•9 years ago
|
Whiteboard: [necko-would-take]
Comment 5•8 years ago
|
||
Crash volume for signature 'OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHandler::ParseURI':
- nightly (version 50): 0 crash from 2016-06-06.
- aurora (version 49): 0 crash from 2016-06-07.
- beta (version 48): 0 crash from 2016-06-06.
- release (version 47): 2822 crashes from 2016-05-31.
- esr (version 45): 739 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 0 0 0 0 0 0 0
- aurora 0 0 0 0 0 0 0
- beta 0 0 0 0 0 0 0
- release 419 457 438 420 419 377 122
- esr 91 66 82 66 86 80 76
Affected platforms: Windows, Mac OS X
status-firefox47:
--- → affected
status-firefox-esr45:
--- → affected
Comment 6•8 years ago
|
||
Bug 1262359 fixed this. In the past 7 days there have been zero crashes with this signature in versions 48 and later.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•