Closed Bug 1262359 Opened 4 years ago Closed 4 years ago

crash in OOM | large | NS_ABORT_OOM | nsACString_internal::Assign | nsDataHandler::NewURI

Categories

(Core :: Networking, defect, critical)

x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: njn, Assigned: njn)

References

Details

(Keywords: crash, Whiteboard: [necko-active])

Crash Data

Attachments

(5 files, 3 obsolete files)

This bug was filed from the Socorro interface and is 
report bp-cd7d10be-a12e-4ad3-a18e-cefb92160405.
=============================================================

nsDataHandler::NewURI() does an allocation (via nsDataHandler::ParseURI()) that is the size of the payload of a data URL. This can be arbitrarily long, so it should be made fallible. (The occurrence in this crash report was 1.4 MB.)

Also, nsDataHandler::ParseURI() can be optimized a bit to avoid the allocation entirely in some cases.
Attachment #8738411 - Flags: review?(jduell.mcbugs)
Assignee: nobody → n.nethercote
Status: NEW → ASSIGNED
Attachment #8738411 - Attachment is obsolete: true
Attachment #8738411 - Flags: review?(jduell.mcbugs)
Attachment #8738413 - Attachment is obsolete: true
Attachment #8738413 - Flags: review?(jduell.mcbugs)
Attachment #8738415 - Attachment is obsolete: true
Attachment #8738415 - Flags: review?(jduell.mcbugs)
Whiteboard: [necko-active]
Attachment #8738414 - Flags: review?(erahm) → review+
Attachment #8738417 - Flags: review?(jduell.mcbugs) → review+
Attachment #8738420 - Flags: review?(jduell.mcbugs) → review+
Comment on attachment 8738421 [details] [diff] [review]
(part 4) - Make data URL payload assignment fallible in nsDataHandler::ParseURI()

Review of attachment 8738421 [details] [diff] [review]:
-----------------------------------------------------------------

bonus points for snazzy use of ternary operator! :)
Attachment #8738421 - Flags: review?(jduell.mcbugs) → review+
Attachment #8738416 - Flags: review?(jduell.mcbugs) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2581d348367fcad75830e693d8086bff16de572
Bug 1262359 (part 1) - Remove unused |hashRef| parameter from nsDataHandler::ParseURI(). r=jduell.

https://hg.mozilla.org/integration/mozilla-inbound/rev/ee3b6b151cf5a72ab0a121c0f3da475129ba7c29
Bug 1262359 (part 2) - Make the filling in of two parameters optional in nsDataHandler::ParseURI(). r=jduell.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6474dc4bf7856b5583ffea9307a7bdc249bf8bc8
Bug 1262359 (part 3) - Add a missing fallible nsTSubstring_CharT::Assign() variant. r=erahm.

https://hg.mozilla.org/integration/mozilla-inbound/rev/fb3e2cc58cfa53b11e7e89d418abd2db1845a7d6
Bug 1262359 (part 4) - Make data URL payload assignment fallible in nsDataHandler::ParseURI(). r=jduell.

https://hg.mozilla.org/integration/mozilla-inbound/rev/e8dad24cfffa9f5d8406df8c59839902cd446e65
Bug 1262359 (part 5) - Add a missing rv check for call to nsDataHandler::ParseURI(). r=jduell.
Looks like these changes fixed the crash in bug 1258111.
Duplicate of this bug: 1184014
You need to log in before you can comment on or make changes to this bug.