problem with for block and recursion - possible memory leak with "typeof"

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Colin Saxton, Unassigned)

Tracking

43 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151208100201

Steps to reproduce:

Was writing a simple recursion routing to step through some json using the following code

            function meml()
            {
                var json = ({
					item:[
					        {"name":"X","age":50,"title":"Mr"},
					        {"name":"Y","age":47,"title":"Mrs"}
					     ]
				});
                memleak(json);
            }
            
            function memleak(o)
            {
                if(typeof(o == "object"))
                {
                    for(n in o)
                    {
                        memleak(o[n]);
                    }
                }
            }

If you notice the brace on the typeof test I mistakenly wrapped the whole test...

typeof(o == "object") 

instead of

typeof(o) == "object"

When you run meml() you get the error reported in the results...If you step through it with the debugger it is not correctly stepping through the control block (for n in o)

if you correct the mistake then all works fine...I think that this is some kind of memory leak and I am sure that if I was to put my mind to it I should be able to exploit the browser security.

Regards.


Actual results:

too much recursion

Comment 1

2 years ago
This is a simple infinite recursion in content JS. We have some protections against JS infinitely recursing, although they aren't bulletproof. It's also possible for content JS to consume memory until the browser crashes. In either case this is not a security exploit. In any case, it's not an issue that we're going to track at this time.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.