Closed Bug 1310441 Opened 3 years ago Closed 3 years ago

Blob is generated by MediaRecorder and uploaded via XmlHttpRequest crash Firefox hard

Categories

(Firefox :: Untriaged, defect, major)

49 Branch
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 1264209

People

(Reporter: Oliver.Friedmann, Unassigned)

References

()

Details

Attachments

(1 file)

Attached file firefox-crash.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50

Steps to reproduce:

Use MediaRecorder to record a short video, then upload it via XmlHttpRequest.

You can try it out here:
https://dl.dropboxusercontent.com/u/2378440/Ziggeo/Tests/firefox-crash.html

I can fix the bug by copying the blob via an intermediate ArrayBuffer to a new blob and then uploading it.

It feels like the memory of the blob is not handled properly. People might be able to use this bug to escalate privileges by being able to write / leak into memory that was not meant for the JavaScript Virtual Machine.


Actual results:

Firefox crashes.


Expected results:

Firefox should not crash.
Severity: normal → major
Is this with e10s or without? I tried this on x86 windows 10 nightly, both with and without e10s, and got no crash. Can you use about:crashes to find and link to the crash report that was generated as a result of this testcase?
Flags: needinfo?(Oliver.Friedmann)
There you go: https://crash-stats.mozilla.com/report/index/91846c7e-c382-4c43-be4c-23d002161017

I was using the newest FF on Mac OS.
This crash is already filed, so I'm going to mark this a duplicate, but I don't think we had a reproducible testcase before. That's great news.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(Oliver.Friedmann)
Resolution: --- → DUPLICATE
Duplicate of bug: 1264209
You need to log in before you can comment on or make changes to this bug.