Closed
Bug 1288123
Opened 8 years ago
Closed 8 years ago
[WARNING MAY CRASH BROWSER] URL parsing causes crash
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1288482
People
(Reporter: db, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [adv-main50+])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Steps to reproduce:
Create an html page with the following contents, access it, then "reload this page" one time.
<script>document.write('<a href="http://foo/bar/%2e%2e%2e%2e%2e%2e%2e%2e">baz</a>');</script>
Actual results:
It crashes for version 46+ on OS X, including FirefoxNightly 50.0a1 (2016-07-15). Older versions and other platforms work. (45 on OS X works, 47 on Linux works, etc.)
Process: firefox [38048]
Path: /Applications/NightlyDebug.app/Contents/MacOS/firefox
Identifier: org.mozilla.nightlydebug
Version: 47.0.2 (4716.7.2)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: firefox [38048]
User ID: 25628395
Date/Time: 2016-07-20 08:00:17.778 -0700
OS Version: Mac OS X 10.11.5 (15F34)
Report Version: 11
Anonymous UUID: 4F065409-6410-EED7-4352-470B9B7EA9DD
Sleep/Wake UUID: 1B10C1A4-591F-4DAC-AD77-30B47ECCF792
Time Awake Since Boot: 400000 seconds
Time Since Wake: 2900 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000213393047
Exception Note: EXC_CORPSE_NOTIFY
VM Regions Near 0x213393047:
mapped file 000000019de00000-000000019e082000 [ 2568K] r--/rwx SM=COW
-->
STACK GUARD 0000700000000000-0000700000001000 [ 4K] ---/rwx SM=NUL stack guard for thread 62
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x00007fff83382360 _platform_strncmp + 320
1 XUL 0x00000001052a5db7 0x105093000 + 2174391
2 XUL 0x00000001086e0f64 0x105093000 + 56942436
3 XUL 0x00000001051b695a 0x105093000 + 1194330
4 XUL 0x00000001051b1b9d 0x105093000 + 1174429
5 XUL 0x000000010866a5ae 0x105093000 + 56456622
6 XUL 0x000000010623009f 0x105093000 + 18469023
7 XUL 0x00000001062fb175 0x105093000 + 19300725
[...]
Expected results:
No crash.
|
||
Updated•8 years ago
|
Group: firefox-core-security, core-security-release
|
Reporter | |
Updated•8 years ago
|
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Version: 50 Branch → Trunk
|
||
Updated•8 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → Networking
Product: Firefox → Core
|
||
Comment 1•8 years ago
|
||
|
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 4•8 years ago
|
||
|
||
Updated•8 years ago
|
Summary: JS oneliner causes segfault on OS X → parsing URL in a link crashes Firefox [DO NOT OPEN -- comment 0 has the link and will crash you until fixed]
|
|
||
Updated•8 years ago
|
See Also: → CVE-2016-5292
|
|
||
Comment 5•8 years ago
|
||
Closing bug because the description is triggering a crashs and we cannot change the description.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Summary: parsing URL in a link crashes Firefox [DO NOT OPEN -- comment 0 has the link and will crash you until fixed] → [WARNING MAY CRASH BROWSER] JS oneliner causes segfault on OS X
|
|
||
Comment 6•8 years ago
|
||
Marking comment 0 obsolete didn't stop the crashes (javascript can unhide the comment so the contents must be still in the page).
|
||
Updated•8 years ago
|
Whiteboard: [adv-main50+]
|
|
||
Updated•7 years ago
|
Group: core-security
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•