Closed
Bug 1418482
Opened 7 years ago
Closed 2 years ago
Mozila browser "search" is not sanitizing/handling long specialy crafted strings and as a result browser crashes/stops responding
Categories
(Firefox :: Address Bar, defect, P5)
Tracking
()
RESOLVED
DUPLICATE
of bug 1589602
People
(Reporter: niputiwari, Unassigned)
References
Details
(Keywords: csectype-dos)
Attachments
(1 file)
6.76 MB,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Steps to reproduce:
1. Open Browser (Tested on Firefox 57.0 64 bit version)
2. Copy the long string provided as an attachment and paste in Search field of Browser
3. Observe that Firefox browser crashes
Actual results:
Not responding/Crashes
Expected results:
Browser search section should be designed to handle malicious characters. Browser should not hang or crash if long string is being passed in its search section.
In worst case scenario, It can lead to memory leak, Dos, Buffer overflow and even RCE.
Comment 1•7 years ago
|
||
So far I haven't reproduced a crash on Mac (will have to try Windows later). Did you get a crash reporter prompt and submit a crash to us? If so the ID/Link would be super helpful. You can find that on the about:crashes page.
I can certainly reproduce a hang when pasting a 7 million byte binary string into the addressbar. When I sample the process every thread is waiting -- I bet it's the underlying OS widget that's gooped up (in which case I might well get completely different results on Windows).
Comment 2•7 years ago
|
||
It wasn't 100% frozen, btw. It was processing events in between beachballs enough that I was eventually able to close the test tab by clicking on the tab close button. After that the browser returned to normal and was its usual snappy self.
ID: 971b6110-9236-41a0-a3d0-142000171121
Signature: IPCError-browser | ShutDownKill
Comment 4•7 years ago
|
||
doesn't look critical and it's quite an uncommon use-case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Updated•2 years ago
|
Severity: normal → S3
Comment 5•2 years ago
|
||
Bug 1589602 has handled most of the problems, we're still looking into Bug 1838723, but we can dupe to the former for now.
If there's more, a performance profile would be necessary to proceed further.
You need to log in
before you can comment on or make changes to this bug.
Description
•