Closed
Bug 1395940
Opened 7 years ago
Closed 7 years ago
Sending a notification with a large image causes Firefox to crash
Categories
(Toolkit Graveyard :: Notifications and Alerts, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1282419
People
(Reporter: hanno, Unassigned)
Details
Attachments
(2 files)
I'll attach a code sample that will send a notification with a large PNG image as the icon set (just a black 5000x5000 image embedded as a data URI).
If this is called on Linux with a desktop environment that supports notification daemon (which includes all the major ones like GNOME, KDE, LXDE) then it will crash Firefox.
I tried to dig down into what's happening. I think using such a large image hits the dbus size limit (which seems to be around 32 MB hardcoded). That makes notify_notification_show() return an error.
I haven't figured out why that subsequently causes Firefox to terminate. However notable (and maybe related) is that in nsAlertsIconListener.cpp the function OnImageReady calls ShowAlert (which subsequently calls notify_notification_show) and doesn't handle error codes. OnImageReady just returns NS_OK unconditionally and ignores the return value of ShowAlert (which, in case notify_notification_show returns an error, is NS_ERROR_FAILURE).
With an ASAN build I get a longer error message which I'll attach.
In some situations I ended up with a state where firefox would just re-load the same page again and again on every new start. (I guess this happens if you first deliver a site on the same URL that doesn't crash, then reload and serve the crashing payload. Thus firefox has saved the URL already and tries to re-open a tab with that URL.) This makes this quite a nasty DoS issue, as it can make the browser unusable for the user unless he deletes the .mozilla directory (and which is also why I'd consider this a security issue).
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 3•7 years ago
|
||
Yes, looks like the same (minus the analysis I have done). But opened a year ago and no further action (?). I feel this is quite a severe issue...
Flags: needinfo?(hanno)
|
||
Comment 4•7 years ago
|
||
Unfortunately nobody is actively working on the notification front-end but it's on the list of possible things to work on after Firefox 57 development.
(In reply to Hanno Boeck from comment #0)
> In some situations I ended up with a state where firefox would just re-load
> the same page again and again on every new start. (I guess this happens if
> you first deliver a site on the same URL that doesn't crash, then reload and
> serve the crashing payload. Thus firefox has saved the URL already and tries
> to re-open a tab with that URL.) This makes this quite a nasty DoS issue, as
> it can make the browser unusable for the user unless he deletes the .mozilla
> directory (and which is also why I'd consider this a security issue).
Are you sure that it's as bad as you say? After a few consecutive crashes we shouldn't auto-restore the tabs?
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(hanno)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•7 years ago
|
||
> Are you sure that it's as bad as you say? After a few consecutive crashes we shouldn't auto-restore the tabs?
I now re-tested and it actually is that bad. I don't know why exactly this is happening and it's not reliable.
Sometimes after a few crashes I get a "Firefox Safe Mode" notification on the next restart. But sometimes not. I was able to capture this behavior in a video. As you can see I can try to restart firefox as often as I want and it's not stopping:
https://www.youtube.com/watch?v=0YWCp2BK0MM
P.S.: Given that there is no notable activity on fixing this bug I intend to disclose all details I'm aware of within a week.
Flags: needinfo?(hanno)
|
||
Updated•4 years ago
|
Group: toolkit-core-security
|
||
Updated•2 years ago
|
Product: Toolkit → Toolkit Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•