User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316 When a BMP file loaded into the Internet Explorer (for exmaple 'IMG' tag) the internet explorer check the BMP image size written in BMP file, and then allocate the necessary memory to itself for placing bmp image into the memory. And it does not check the actual size of the file, so we can write a large number in the bmp file and cause the IE to fill the memory up. But we can't use a very large number because IE will check to see if there is enough memory available, if not, it doesn't load it at all. The max size of the bitmap is FFFFFFFF^2 (large number ). so the tiny (58 bytes) bitmap can take up to 51,539,607,528 GB memory. Reproducible: Always Steps to Reproduce: 1.go to http://www.4rman.com/exploits/tinybmp.htm (CAREFUL!!) Actual Results: Memory fills up, and eventually crashes occurs Expected Results: Not fill up the whole memory (Firefox appears to be not vulnerable)
Created attachment 145988 [details] Firefox PF usage For me, Firefox is vulnerable (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040411 Firefox/0.8.0+), which is more likely since firofox only differs in interface from Mozilla, not rendering engine.
No crash for me. Firefox usage stayed stable. Using my own homemade last firefox 0.8.0+ build : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040411 Firefox/0.8.0+ (MozJF) I will see with a build I am making of firefox based on 1.7 branch sources if crash happens.
wfm with a current cvs trunk btw: someone who develops image code in Mozilla told me, Mozilla loads BMPs quite different than IE and shouldn't be vulnerable to this one. Anyway some people here seem to see some wrong behaviour of Mozilla.
Correction: This is NOT wfm :/, just looked if Mozilla didn't crash, it didn't, but the memory usage raised from 40MB to 240MB.
Well, I looked bad at memory taken. It jumped from 26868 to 85836 Mb and then stay stable. No crash.
Confirming : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040402 Firefox/0.8.0+ Firefox stoped responding and my page file usage spiked (like the attached image). Clearly an issue here.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: general → jdunn
Component: Browser-General → Image: GFX
Summary: Mozilla 1.7b also suffers of recent "Microsoft Internet Explorer BMP file memory DoS vulnerability" → Mozilla requires much memory for large files
With Mozilla/5.0 (Windows; U; Win 9x 4.90; de-AT; rv:1.6) Gecko/20040113 on Win ME I've no problems, also no change in memory usage. biesi: Maybe regression from Bug 185195 (cleanup BMP Decoder)? Cannot try newer mozilla on this Windows, will take a look on Linux tomorrow.
Summary: Mozilla requires much memory for large files → Mozilla requires much memory for large images
*** Bug 240524 has been marked as a duplicate of this bug. ***
it seems Firefox hangs for about 10 seconds then becomes responisve again, however closing the tab with the exploited bitmap does not free up the huge amount of memory that was consumed.
*** Bug 251005 has been marked as a duplicate of this bug. ***
*** Bug 251621 has been marked as a duplicate of this bug. ***
Firefox since long time refuses to load images large than 64kx64k... See bug 255067. Marking as fixed (by bug 255067)
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Component: Image: Painting → Image: Painting
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.