Closed
Bug 1288123
Opened 8 years ago
Closed 8 years ago
[WARNING MAY CRASH BROWSER] URL parsing causes crash
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1288482
People
(Reporter: db, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [adv-main50+])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce: Create an html page with the following contents, access it, then "reload this page" one time. <script>document.write('<a href="http://foo/bar/%2e%2e%2e%2e%2e%2e%2e%2e">baz</a>');</script> Actual results: It crashes for version 46+ on OS X, including FirefoxNightly 50.0a1 (2016-07-15). Older versions and other platforms work. (45 on OS X works, 47 on Linux works, etc.) Process: firefox [38048] Path: /Applications/NightlyDebug.app/Contents/MacOS/firefox Identifier: org.mozilla.nightlydebug Version: 47.0.2 (4716.7.2) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: firefox [38048] User ID: 25628395 Date/Time: 2016-07-20 08:00:17.778 -0700 OS Version: Mac OS X 10.11.5 (15F34) Report Version: 11 Anonymous UUID: 4F065409-6410-EED7-4352-470B9B7EA9DD Sleep/Wake UUID: 1B10C1A4-591F-4DAC-AD77-30B47ECCF792 Time Awake Since Boot: 400000 seconds Time Since Wake: 2900 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000213393047 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x213393047: mapped file 000000019de00000-000000019e082000 [ 2568K] r--/rwx SM=COW --> STACK GUARD 0000700000000000-0000700000001000 [ 4K] ---/rwx SM=NUL stack guard for thread 62 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x00007fff83382360 _platform_strncmp + 320 1 XUL 0x00000001052a5db7 0x105093000 + 2174391 2 XUL 0x00000001086e0f64 0x105093000 + 56942436 3 XUL 0x00000001051b695a 0x105093000 + 1194330 4 XUL 0x00000001051b1b9d 0x105093000 + 1174429 5 XUL 0x000000010866a5ae 0x105093000 + 56456622 6 XUL 0x000000010623009f 0x105093000 + 18469023 7 XUL 0x00000001062fb175 0x105093000 + 19300725 [...] Expected results: No crash.
Updated•8 years ago
|
Group: firefox-core-security, core-security-release
Reporter | ||
Updated•8 years ago
|
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Version: 50 Branch → Trunk
Updated•8 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → Networking
Product: Firefox → Core
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•8 years ago
|
||
Updated•8 years ago
|
Summary: JS oneliner causes segfault on OS X → parsing URL in a link crashes Firefox [DO NOT OPEN -- comment 0 has the link and will crash you until fixed]
Updated•8 years ago
|
See Also: → CVE-2016-5292
Comment 5•8 years ago
|
||
Closing bug because the description is triggering a crashs and we cannot change the description.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Summary: parsing URL in a link crashes Firefox [DO NOT OPEN -- comment 0 has the link and will crash you until fixed] → [WARNING MAY CRASH BROWSER] JS oneliner causes segfault on OS X
Comment 6•8 years ago
|
||
Marking comment 0 obsolete didn't stop the crashes (javascript can unhide the comment so the contents must be still in the page).
Updated•8 years ago
|
Whiteboard: [adv-main50+]
Updated•7 years ago
|
Group: core-security
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•