If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

OOM crash when creating CSS error message

NEW
Unassigned

Status

()

Core
CSS Parsing and Computation
P3
normal
3 months ago
2 months ago

People

(Reporter: hyp3rlinx, Unassigned)

Tracking

({crash})

unspecified
crash
Points:
---

Firefox Tracking Flags

(firefox-esr52 affected, firefox54 wontfix, firefox55 affected, firefox56 affected)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 months ago
Created attachment 8881644 [details]
Firefox-DOS.html

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

Dynamically creating HTML elements IMG,FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA and assign very long string of junk chars to the "style.color" property results in Firefox browser crash (not tab).


Actual results:

Firefox crash, possible out of memory... no time to research yet. So I will check the security option below.
Group: firefox-core-security → core-security
Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
Crash report: https://crash-stats.mozilla.com/report/index/816adb14-42d0-475e-b3fd-fd2280170629
Crash Signature: [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xrealloc | GrowStuff ]
status-firefox54: --- → wontfix
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox-esr52: --- → affected
Keywords: crash
Version: 53 Branch → unspecified
Thanks for the crash report, Ryan. It looks like we're trying to generate a very large CSS error message, and we crash safely in an OOM.
Group: core-security
mozilla::dom::HTMLMediaElement::ReportLoadError() seems to also hit a similar crash signature.
Summary: Firefox Multiple Denial Of Service (for now) → OOM crash when creating CSS error message
(Reporter)

Comment 4

3 months ago
Yea I figured it was OOM, this will be be fix etc? thanks...
Generally we prioritize OOM crashes based on how common they are. This one doesn't appear to be particularly common.
(Reporter)

Comment 6

3 months ago
So not being common means which priority?
(In reply to hyp3rlinx from comment #6)
> So not being common means which priority?

It means low priority.

Although...we limit CSS error messages to something short so they don't cause these sorts of problems, IIRC.  Maybe we should be limiting load errors similarly?

Updated

3 months ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

2 months ago
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.