Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]

RESOLVED DUPLICATE of bug 1262359

Status

()

--
critical
RESOLVED DUPLICATE of bug 1262359
4 years ago
2 years ago

People

(Reporter: vincent.marnier, Unassigned)

Tracking

({crash, crashreportid, csectype-oom})

41 Branch
crash, crashreportid, csectype-oom
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox47 affected, firefox-esr45 affected)

Details

(Whiteboard: [necko-would-take], crash signature)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150610004004

Steps to reproduce:

1/ Generate a very very large file using MIME encoding
2/ Make the user download it
3/ Crash 100% of the times


Actual results:

Crashed the browser


Expected results:

Download the very very large file OR display an error message saying that the file is way too large
(Reporter)

Comment 1

4 years ago
(In reply to Vincent Marnier from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
> Build ID: 20150610004004
> 
> Steps to reproduce:
> 
> 1/ Generate a very very large file using MIME encoding
> 2/ Make the user download it
> 3/ Crash 100% of the times
> 
> 
> Actual results:
> 
> Crashed the browser
> 
> 
> Expected results:
> 
> Download the very very large file OR display an error message saying that
> the file is way too large

Since I cannot attach my POC, I highly invite you to download it following this link: https://mega.nz/#!iB5iWJAL!_DNl9Safbc_BxWRsiJ6lZXJ15shoq3BoOsW2Dv4tOoY

Sorry for the double-post.

Best regards,
Vincent Marnier.

Comment 2

4 years ago
Can you provide a link to a crashreport? Also, can you expand on what you mean by "generate a very very large file" using MIME encoding? MIME does not "generate" anything...
Flags: needinfo?(vincent.marnier)
(Reporter)

Comment 3

4 years ago
Hello,

Sure, MIME does not generate anything, excuse my quite poor english.

What I do is:
1/ Generate an URI this way:
var uri = 'data:application/octet-stream,' + encodeURIComponent(y/*Very very large string*/);
2/ Generate a DOM element which is a link to the URI (<a href=uri>)
3/ Generate a click event on the link
4/ Crash.

I see no option when in the bug tracker to generate a link, so I copied the report in pastebin, hope it helps: http://pastebin.com/YKEKiDF3

Best regards,
Vincent Marnier.

Comment 4

4 years ago
This is a safe OOM crash, so not sec-sensitive.

https://crash-stats.mozilla.com/report/index/577c6ce4-74bf-41aa-a74f-f7a742150715
Group: core-security
Severity: normal → critical
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Component: Untriaged → Untriaged
Flags: needinfo?(vincent.marnier)
Keywords: crash, crashreportid
Product: Firefox → Core
Summary: Buffer overflow with MIME encoded URI → Crash with large URI: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ]
Version: 40 Branch → 41 Branch

Updated

4 years ago
Component: Untriaged → Networking
Flags: sec-bounty?
Whiteboard: sec-other
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-oom
Whiteboard: sec-other

Updated

3 years ago
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ] → [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsACString_internal::Assign(char const*) | nsDataHandler::ParseURI(nsCString&, nsCString&, nsCString&, bool&, nsCString&, nsCString&) ] [@ OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHand…
Whiteboard: [necko-would-take]
Crash volume for signature 'OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHandler::ParseURI':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 0 crash from 2016-06-06.
 - release (version 47): 2822 crashes from 2016-05-31.
 - esr     (version 45): 739 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          0          0          0          0          0          0
 - release        419        457        438        420        419        377        122
 - esr             91         66         82         66         86         80         76

Affected platforms: Windows, Mac OS X
status-firefox47: --- → affected
status-firefox-esr45: --- → affected
Bug 1262359 fixed this. In the past 7 days there have been zero crashes with this signature in versions 48 and later.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1262359
You need to log in before you can comment on or make changes to this bug.