Closed
Bug 441670
Opened 16 years ago
Closed 16 years ago
Lots of document.write()s with large strings triggers Access Violation
Categories
(Core :: General, defect)
Core
General
Tracking
()
RESOLVED
DUPLICATE
of bug 430574
People
(Reporter: u315569, Assigned: mozilla+ben)
References
()
Details
(Whiteboard: [sg:dupe 430574])
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 This appears to be some race condition, as the script can run for varying amounts of time before it crashes FireFox. It often seems to crash with a NULL pointer in an AddRef call, which leads me to believe it is reuse of freed memory or use of uninitialised memory in some COM object. I have seen crashes at random addresses, so I think it may be exploitable. The code: <SCRIPT language="JavaScript"> var sChunk = "A"; while (sChunk.length < 0x10000) { sChunk += sChunk; } var sString = sChunk; for (var i = 0; i < 3000; i++) { sString += sChunk; document.title = i+"|" + sString.length.toString(16); document.write(sString); } </SCRIPT> Reproducible: Sometimes Steps to Reproduce: Load this URL: * http://skypher.com/SkyLined/Repro/FireFox/AccessViolation%209e7d9165.html Actual Results: FireFox crashes after a while, the time required to crash it varies. For me it normally requires 10-20 seconds. Expected Results: FireFox crashes I reported this problem on May 20, 2008 to secure@mozilla.org in an email with the title "Exploitable memory corruption when writing a lot of data to a page from JavaScript" but have not received a reply, which is why I'm filing this bug.
Updated•16 years ago
|
Product: Firefox → Core
QA Contact: general → general
Comment 1•16 years ago
|
||
I tested both the URL you provided as well as the sample code from a local web server on both Trunk and Firefox 2.0.0.14. In every case, my browser hung, but I never crashed. I left the test cases running for 4-5 minutes before Force Quitting. Is anyone else able to reproduce the crash?
Comment 2•16 years ago
|
||
I got it to crash (3.0.1 / OS X 10.5) eventually, it just took a while. Exploit appears to require a fair amount of memory.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical]
Comment 3•16 years ago
|
||
Lucas, can you attach a crash log or link to a breakpad report?
Comment 4•16 years ago
|
||
Here you go: bp-ec2504ba-8e60-11dd-8d11-001cc45a2ce4 and bp-4e81c866-8c1b-11dd-9f60-001cc45a2ce4
Comment 5•16 years ago
|
||
crash in nsScannerString::AppendBuffer, a duplicate of bug 401814? (null deref after OOM). Anyone get crashes with other stacks?
Whiteboard: [sg:critical] → [sg:investigate]
Comment 6•16 years ago
|
||
This doesn't seem to be Windows specific as both crash reports linked above are from Mac's. Reassigning to bnewman. Looks like this could indeed be a dupe of bug 401814, in which case this is likely not a high severity security bug.
Assignee: nobody → bnewman
OS: Windows Vista → All
Hardware: PC → All
Comment 7•16 years ago
|
||
So... I can't get trunk to crash (will try 1.8 and 1.9 later, I guess), but I do get a whole bunch of failed mmaps on trunk.
Assignee | ||
Comment 8•16 years ago
|
||
(In reply to comment #7) > So... I can't get trunk to crash (will try 1.8 and 1.9 later, I guess), but I > do get a whole bunch of failed mmaps on trunk. That's what I'm seeing in trunk, too. CVS HEAD crashes after a minute or two on my mac, in nsScannerString::AppendBuffer. Does look very much like bug 401814 (which still needs fixing).
Comment 10•16 years ago
|
||
So I can confirm that the patch from bug 430574 applies cleanly on 1.9.0 and fixes this bug.
Comment 11•16 years ago
|
||
So this should be marked fixed then now, right?
Comment 12•16 years ago
|
||
Ah, yeah.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Group: core-security
Whiteboard: [sg:investigate] → [sg:dupe 430574]
You need to log in
before you can comment on or make changes to this bug.
Description
•