Closed
Bug 271822
Opened 20 years ago
Closed 20 years ago
javascript stack overfllow in sort() loop (Berend-Jan Wever DoS) [@ 0xff336446 - js_GetSlotThreadSafe ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 271716
People
(Reporter: moixa, Unassigned)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
176 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 <snip> From: "Berend-Jan Wever" <skylined@edup.tudelft.nl> To: <full-disclosure@lists.netsys.com>, <vuln-dev@securityfocus.com>, <bugtraq@securityfocus.com> Subject: FIREFOX flaws: nested array sort() loop Stack overflow exception X-Mailer: Microsoft Outlook Express 6.00.2800.1437 Hi all, Same flaw works for Firefox as well as MSIE: <HTML> <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> </HTML> Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course "how to write a bug report" and go through all that bugzilla ****. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever </snip> Reproducible: Always Steps to Reproduce: Actual Results: Browser crashes without talkback. Expected Results: Notify of stack end reached and stop execution of script.
|
||
Comment 1•20 years ago
|
||
|
|
||
Comment 2•20 years ago
|
||
Dupe of bug 271734, furthermore dupe of bug 203278. Marking such. TB2187285Y (FF 1.0 CZ/W2K): 0xff336446 js_GetSlotThreadSafe [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/js/src/jslock.c, line 554] JS_GetPrivate [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/js/src/jsapi.c, line 1999] nsScriptSecurityManager::GetFramePrincipal [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1833] nsScriptSecurityManager::GetPrincipalAndFrame [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1857] nsScriptSecurityManager::GetSubjectPrincipal [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1897] nsScriptSecurityManager::GetSubjectPrincipal [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1583] nsContentUtils::IsCallerChrome [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/content/base/src/nsContentUtils.cpp, line 921] PresShell::HandleEventInternal [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6027] PresShell::HandleEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5921] nsViewManager::HandleEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/view/src/nsViewManager.cpp, line 2280] nsViewManager::DispatchEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/view/src/nsViewManager.cpp, line 2066] HandleEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/view/src/nsView.cpp, line 77] nsWindow::DispatchEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::DispatchFocus [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5451] nsWindow::ProcessMessage [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4195] nsWindow::WindowProc [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.dll + 0x1ef0 (0x77e11ef0) USER32.dll + 0x3869 (0x77e13869) USER32.dll + 0x38ab (0x77e138ab) ntdll.dll + 0x1ff57 (0x77f9ff57) GlobalWindowImpl::Focus [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp, line 2649] nsWebShellWindow::HandleEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 610] nsWindow::DispatchEvent [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::DispatchFocus [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5451] nsWindow::ProcessMessage [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4195] nsWindow::WindowProc [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.dll + 0x1ef0 (0x77e11ef0) USER32.dll + 0x3869 (0x77e13869) USER32.dll + 0x38ab (0x77e138ab) ntdll.dll + 0x1ff57 (0x77f9ff57) USER32.dll + 0x343f (0x77e1343f) USER32.dll + 0x1ef0 (0x77e11ef0) USER32.dll + 0x3d1e (0x77e13d1e) USER32.dll + 0x6e9b (0x77e16e9b) nsWindow::WindowProc [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1356] USER32.dll + 0x1ef0 (0x77e11ef0) USER32.dll + 0x3869 (0x77e13869) USER32.dll + 0x38ab (0x77e138ab) ntdll.dll + 0x1ff57 (0x77f9ff57) USER32.dll + 0x18ec (0x77e118ec) nsAppShell::Run [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 128] nsAppShellService::Run [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 58] KERNEL32.DLL + 0x2893d (0x796f893d) *** This bug has been marked as a duplicate of 203278 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Web Site → JavaScript Engine
OS: Linux → All
Product: Firefox → Core
Resolution: --- → DUPLICATE
Summary: javascript stack overfllow in sort() loop (Berend-Jan Wever DoS) → javascript stack overfllow in sort() loop (Berend-Jan Wever DoS) [@ 0xff336446 - js_GetSlotThreadSafe ]
Version: unspecified → Trunk
|
|
||
Comment 3•20 years ago
|
||
Suite is crashing (TB2187648X) with nsScriptSecurityManager::GetScriptPrincipal signature.
|
||
Updated•20 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
|
|
||
Updated•20 years ago
|
Assignee: bugs → general
|
|
||
Comment 4•20 years ago
|
||
Let's dup shallow-stack crashes against bug 271716. Bug 203278 is about a stack overflow under the mark phase of the GC, which is distinct from this bug's stack and those associated with 271716. /be *** This bug has been marked as a duplicate of 271716 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Crash Signature: [@ 0xff336446 - js_GetSlotThreadSafe ]
|
||
Comment 5•12 years ago
|
||
A testcase for this bug was already added in the original bug (bug 271716).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•