Last Comment Bug 396572 - Firefox 2.0.0.6/7 crash opening a malformed .html (out of memory)
: Firefox 2.0.0.6/7 crash opening a malformed .html (out of memory)
Status: RESOLVED DUPLICATE of bug 379390
wfm on trunk
: crash, testcase
Product: Toolkit
Classification: Components
Component: Safe Browsing (show other bugs)
: 2.0 Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Tony Chang (Google)
:
Mentors:
http://lucianoaibar.no-ip.org/firefox...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-18 10:09 PDT by Luciano Aibar
Modified: 2014-05-27 12:25 PDT (History)
3 users (show)
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Malformed .html file that make Firefox crash (132.55 KB, text/html)
2007-09-18 10:10 PDT, Luciano Aibar
no flags Details

Description Luciano Aibar 2007-09-18 10:09:05 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Mozilla Firefox 2.0.0.6 on Windows XP SP2
Crash when opening:
http://lucianoaibar.no-ip.org/firefox.htm

Reproducible: Always

Steps to Reproduce:
1.Load Mozilla Firefox 2.0.0.6
2.type this URL: http://lucianoaibar.no-ip.org/firefox.htm
3.Program crash


Expected Results:  
Program freeze

I created this .htm file with some 0x01 bytes inside
"<a href='http://" + 0x01 + "www.example.com" + 65535 bytes of text + "'>link</a>
Comment 1 Luciano Aibar 2007-09-18 10:10:19 PDT
Created attachment 281331 [details]
Malformed .html file that make Firefox crash
Comment 2 Marco Perez 2007-09-18 12:10:11 PDT
WFM on recent Firefox/SeaMonkey trunk builds under
FreeBSD-current. The browsers correctly state:
"Server/Address not found"

Luciano, could you please try to reproduce the bug using
the latest Firefox trunk build from:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
Comment 3 Luciano Aibar 2007-09-18 13:14:00 PDT
Now tested with:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/firefox-3.0a8pre.en-US.win32.installer.exe

and problem solved ;-)
Comment 4 Jean-Michel Reghem 2007-09-19 00:28:43 PDT
confirmed on windows vista Business with branch 1.8.x

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.7pre) Gecko/20070913 Firefox/2.0.0.4pre ID:2007091303

1) Going to http://lucianoaibar.no-ip.org/firefox.htm
2) click on the link
3) --> the firefox memory increase of 7Mo by second until the crash of firefox ... with 50% of cpu

If we wait a bit before killing the process, firefox shows the windows "Warning, unresponsive script" ... bug either continue, stop or debug script has an action ...
Comment 5 Jean-Michel Reghem 2007-09-19 00:31:20 PDT
as this seems fix in trunk according to comment #3, maybe there is a dup somewhere fixing this on trunk ...
I'm looking

PS: the crash is due to out of memory, there is no talkback
Comment 6 Daniel Veditz [:dveditz] 2007-09-27 11:56:59 PDT
This is due to the Phishing Protection code. If you turn off the "web forgery" detection option it doesn't happen, and when I break in the debugger it's stuck processing nsUrlClassifierTable.js ("line 1035" according to the script object, but that doesn't look right in the code).

It's simple resource exhaustion, which makes a nice denial-of-service but isn't an exploitable crash.
Comment 7 Tony Chang (Google) 2007-09-27 14:31:17 PDT
It sounds like this is a dup of bug 379390.  That is, I don't think the 0x01 bytes matter, it's just a long URL and normalizing it JS takes a very long time.
Comment 8 Daniel Veditz [:dveditz] 2007-09-27 16:16:51 PDT

*** This bug has been marked as a duplicate of bug 379390 ***

Note You need to log in before you can comment on or make changes to this bug.