240369 - Mozilla requires much memory for large images

Status: RESOLVED FIXED

(Core Graveyard :: Image: Painting, defect)

Description

[Andrea]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316

When a BMP file loaded into the Internet Explorer (for exmaple 'IMG' tag)
the internet explorer check the BMP image size written in BMP file, and then
allocate the necessary memory to itself for placing bmp image into
the memory.
And it does not check the actual size of the file, so we can write a large
number in the bmp file and cause the IE to fill the memory up.
But we can't use a very large number because IE will check to see if there is
enough memory available, if not, it doesn't load it at all.
The max size of the bitmap is FFFFFFFF^2 (large number  ).
so the tiny (58 bytes) bitmap can take up to 51,539,607,528 GB memory.


Reproducible: Always
Steps to Reproduce:
1.go to http://www.4rman.com/exploits/tinybmp.htm (CAREFUL!!)
Actual Results:  
Memory fills up, and eventually crashes occurs

Expected Results:  
Not fill up the whole memory (Firefox appears to be not vulnerable)

Comment 1

[Oleg Sidletskiy]

Attachment: Firefox PF usage

For me, Firefox is vulnerable (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7b) Gecko/20040411 Firefox/0.8.0+), which is more likely since firofox
only differs in interface from Mozilla, not rendering engine.

Comment 2

[Frederic Bezies]

No crash for me. Firefox usage stayed stable. Using my own homemade last firefox
0.8.0+ build :

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040411
Firefox/0.8.0+ (MozJF)

I will see with a build I am making of firefox based on 1.7 branch sources if
crash happens.

Comment 3

[Frank Wein [:mcsmurf]]

wfm with a current cvs trunk
btw: someone who develops image code in Mozilla told me, Mozilla loads BMPs
quite different than IE and shouldn't be vulnerable to this one. Anyway some
people here seem to see some wrong behaviour of Mozilla.

Comment 4

[Frank Wein [:mcsmurf]]

Correction: This is NOT wfm :/, just looked if Mozilla didn't crash, it didn't,
but the memory usage raised from 40MB to 240MB.

Comment 5

[Frederic Bezies]

Well, I looked bad at memory taken. It jumped from 26868 to 85836 Mb and then
stay stable. No crash.

Comment 6

[Tom Graham]

Confirming : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b)
Gecko/20040402 Firefox/0.8.0+

Firefox stoped responding and my page file usage spiked (like the attached
image). Clearly an issue here.

Comment 7

[Alexander Opitz]

With Mozilla/5.0 (Windows; U; Win 9x 4.90; de-AT; rv:1.6) Gecko/20040113 on Win
ME I've no problems, also no change in memory usage.
biesi: Maybe regression from Bug 185195 (cleanup BMP Decoder)?
Cannot try newer mozilla on this Windows, will take a look on Linux tomorrow.

Comment 8

[Christian :Biesinger (don't email me, ping me on IRC)]

*** Bug 240524 has been marked as a duplicate of this bug. ***

Comment 9

[Oleg Sidletskiy]

it seems Firefox hangs for about 10 seconds then becomes responisve again,
however closing the tab with the exploited bitmap does not free up the huge
amount of memory that was consumed.

Comment 10

[Christian :Biesinger (don't email me, ping me on IRC)]

*** Bug 251005 has been marked as a duplicate of this bug. ***

Comment 11

[Jesse Ruderman]

*** Bug 251621 has been marked as a duplicate of this bug. ***

Comment 12

[Alfred Kayser]

Firefox since long time refuses to load images large than 64kx64k...
See bug 255067. Marking as fixed (by bug 255067)