Closed Bug 1404571 Opened 4 years ago Closed 3 years ago

Script can load heaps of memory

Categories

(Core :: DOM: Core & HTML, defect, P3)

57 Branch
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox56 --- affected
firefox57 --- affected
firefox58 --- affected

People

(Reporter: kylekuhn99, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170816210634

Steps to reproduce:

I visited a less-than-reliable web-page, and got a fake virus popup.


Actual results:

The malicious web page had a script on it that loaded heaps of memory. The script had managed to steal 8.8 gigabytes of memory before I closed it with Task Manager.


Expected results:

I would expect a page to have a reasonable limit to the amount of memory it can use before it is stopped from allocating more space.
I wrote a webpage that can successfully reproduce the bug. Such allocation also seems to be permitted on Firefox Stable.



<!DOCTYPE html>
<html>
<script>var foo = []; while(1) { foo.push("random ****"); }</script>
<body><p>Hello World!</p></body>
</html>
This should be on file somewhere--there are many ways a malicious page can DOS the browser by exhausting limits.
Blocks: eviltraps
Group: firefox-core-security
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Firefox: 58.0a1, Build ID: 20171003220138

I have managed to reproduce the heaps of memory using the script from comment 1 using latest Firefox (56.0) release and latest Nightly (58.0a1) build.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
Priority: -- → P3
This works for me.
 1) the slow script infobar pops up and lets you stop the offending script
 2) eventually we killed the page script ourselves, "uncaught exception: out of memory"

Yes, it used gobs of memory while it was running, but given the script we handled the DoS about as well as expected.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Duplicate of this bug: 1439320
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.