Closed Bug 1418482 Opened 7 years ago Closed 2 years ago

Mozila browser "search" is not sanitizing/handling long specialy crafted strings and as a result browser crashes/stops responding

Categories

(Firefox :: Address Bar, defect, P5)

57 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1589602

People

(Reporter: niputiwari, Unassigned)

References

Details

(Keywords: csectype-dos)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 Steps to reproduce: 1. Open Browser (Tested on Firefox 57.0 64 bit version) 2. Copy the long string provided as an attachment and paste in Search field of Browser 3. Observe that Firefox browser crashes Actual results: Not responding/Crashes Expected results: Browser search section should be designed to handle malicious characters. Browser should not hang or crash if long string is being passed in its search section. In worst case scenario, It can lead to memory leak, Dos, Buffer overflow and even RCE.
So far I haven't reproduced a crash on Mac (will have to try Windows later). Did you get a crash reporter prompt and submit a crash to us? If so the ID/Link would be super helpful. You can find that on the about:crashes page. I can certainly reproduce a hang when pasting a 7 million byte binary string into the addressbar. When I sample the process every thread is waiting -- I bet it's the underlying OS widget that's gooped up (in which case I might well get completely different results on Windows).
Group: firefox-core-security
Component: Untriaged → Address Bar
Keywords: csectype-dos
It wasn't 100% frozen, btw. It was processing events in between beachballs enough that I was eventually able to close the test tab by clicking on the tab close button. After that the browser returned to normal and was its usual snappy self.
ID: 971b6110-9236-41a0-a3d0-142000171121 Signature: IPCError-browser | ShutDownKill
doesn't look critical and it's quite an uncommon use-case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
See Also: → 1589602
Severity: normal → S3

Bug 1589602 has handled most of the problems, we're still looking into Bug 1838723, but we can dupe to the former for now.
If there's more, a performance profile would be necessary to proceed further.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1589602
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: