400792 - recursive document.write leads to crash

Status: VERIFIED FIXED

(Core :: General, defect)

Description

[ADLab]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Maxthon; .NET CLR 1.1.4322)
Build Identifier: 

[AD_LAB-07007]Mozilla FireFox malicious script remote DoS

I.DESCRIPTION: 
-------------

A vulnerability has been discovered in Mozilla FireFox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a design error in FireFox when processing certain malicious script. FireFox could fall into a dead loop when processing innerHTML writing script, which leads to DoS.

Testing code:

<HTML><BODY>
<FireFox id=dos>
<SCRIPT language=javascript>
    document.write(dos.innerHTML);
</SCRIPT>
</FireFox>
</BODY></HTML>

III.CREDIT: 
----------
    Venustech AD-LAB discovery this vuln.Thank to all Venustech AD-Lab guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service







Reproducible: Always

Steps to Reproduce:
<HTML><BODY>
<FireFox id=dos>
<SCRIPT language=javascript>
    document.write(dos.innerHTML);
</SCRIPT>
</FireFox>
</BODY></HTML>

Comment 1

[Martijn Wargers (dead)]

Normally you would put in the summary a useful description in the bug, fwiw.
This bug sounds like a duplicate of bug 185945 to me.

Comment 2

[Bob Clary [:bc] (inactive)]

Attachment: testcase

On Linux, 1.8.1 doesn't terminate but keeps throwing:

Break: at file /work/mozilla/builds/1.8.1/mozilla/content/events/src/nsEventListenerManager.cpp, line 1745
JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 25788: too much recursion

Trunk throws a terminates after several:

WARNING: NS_ENSURE_TRUE(!mTooDeepWriteRecursion) failed: file /work/mozilla/builds/1.9.0/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2401
JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 6: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMNSHTMLDocument.write]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: http://local/bugzilla.mozilla.org/400792.html :: <TOP_LEVEL> :: line 6"  data: no]

The testcase in bug 185945 also terminates on the trunk.

Looks like bug 197052 fixed this.

Comment 3

[Martijn Wargers (dead)]

So maybe the patch for bug 197052 should be considered for branch, if I understand correctly?

Comment 4

[Daniel Veditz [:dveditz]]

Don't know why this is UNCO, seems pretty clear that it happens.

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

bug 197052 is now fixed on branch, so this one should be too.

Comment 6

[Al Billings [:abillings - ex-MoCo]]

Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. On both systems, with 2.0.0.11, the browser locks up and becomes unresponsive but the nightly handles it fine.