Closed
Bug 400792
Opened 17 years ago
Closed 17 years ago
recursive document.write leads to crash
Categories
(Core :: General, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: adlab, Unassigned)
References
Details
(Keywords: crash, verified1.8.1.12, Whiteboard: [sg:nse dos] fixed by bug 197052)
Attachments
(1 file)
129 bytes,
text/html
|
Details |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Maxthon; .NET CLR 1.1.4322) Build Identifier: [AD_LAB-07007]Mozilla FireFox malicious script remote DoS I.DESCRIPTION: ------------- A vulnerability has been discovered in Mozilla FireFox, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a design error in FireFox when processing certain malicious script. FireFox could fall into a dead loop when processing innerHTML writing script, which leads to DoS. Testing code: <HTML><BODY> <FireFox id=dos> <SCRIPT language=javascript> document.write(dos.innerHTML); </SCRIPT> </FireFox> </BODY></HTML> III.CREDIT: ---------- Venustech AD-LAB discovery this vuln.Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service Reproducible: Always Steps to Reproduce: <HTML><BODY> <FireFox id=dos> <SCRIPT language=javascript> document.write(dos.innerHTML); </SCRIPT> </FireFox> </BODY></HTML>
Comment 1•17 years ago
|
||
Normally you would put in the summary a useful description in the bug, fwiw. This bug sounds like a duplicate of bug 185945 to me.
Comment 2•17 years ago
|
||
On Linux, 1.8.1 doesn't terminate but keeps throwing: Break: at file /work/mozilla/builds/1.8.1/mozilla/content/events/src/nsEventListenerManager.cpp, line 1745 JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 25788: too much recursion Trunk throws a terminates after several: WARNING: NS_ENSURE_TRUE(!mTooDeepWriteRecursion) failed: file /work/mozilla/builds/1.9.0/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2401 JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 6: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMNSHTMLDocument.write]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: http://local/bugzilla.mozilla.org/400792.html :: <TOP_LEVEL> :: line 6" data: no] The testcase in bug 185945 also terminates on the trunk. Looks like bug 197052 fixed this.
Comment 3•17 years ago
|
||
So maybe the patch for bug 197052 should be considered for branch, if I understand correctly?
Updated•17 years ago
|
Component: Security → General
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → general
Summary: Mozilla/5.0(windows;U;Windows NT 5.2;zh-CN;1.8.1.4) Gecko/200070515 Firefox/2.0.0.4 → recursive document.write leads to crash
Updated•17 years ago
|
Depends on: 197052
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.10?
Whiteboard: [sg:nse dos] fixed by bug 197052 on trunk?
Version: unspecified → 1.8 Branch
Comment 4•17 years ago
|
||
Don't know why this is UNCO, seems pretty clear that it happens.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 5•17 years ago
|
||
bug 197052 is now fixed on branch, so this one should be too.
Updated•17 years ago
|
Flags: in-testsuite?
Comment 6•17 years ago
|
||
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. On both systems, with 2.0.0.11, the browser locks up and becomes unresponsive but the nightly handles it fine.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•17 years ago
|
Flags: blocking1.8.1.12?
Whiteboard: [sg:nse dos] fixed by bug 197052 on trunk? → [sg:nse dos] fixed by bug 197052
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•