Investigate MSVRCAN-08-004: crash [@ nsCSSScanner::Next]

RESOLVED DUPLICATE of bug 432561

Status

()

RESOLVED DUPLICATE of bug 432561
10 years ago
9 years ago

People

(Reporter: bsterne, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] recursion crash, URL)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Created attachment 351435 [details]
Private advisory sent to Mozilla

Billy Rios from Microsoft Vulnerability Research reported this issue to the security@m.o. alias.  I will attach the PoC testcase momentarily, which crashes both Firefox 3.0.4 and Trunk on Windows.  The testcase did not produce a crash on Mac or Linux.

From the report:

    The proof of concept causes a reproducible crash in FireFox3.

    It appears that this crash occurs in MOZCRT19!memcpy, which

    eventually causes a write AV in xul!NS_CycleCollectorForget.



    The root cause of this issue seems to be a large number of

    "(" characters following the "Style" attribute (the "{"

    character will work as well).  The rest of the stuff in the

    file is just an attempt for me to find out exactly what I

    control.
(Reporter)

Comment 1

10 years ago
Created attachment 351439 [details]
testcase crashes trunk and Firefox 3.0.4

I had to attach this compressed because the decompressed file is too large for Bugzilla (513K).
(Reporter)

Updated

10 years ago
Whiteboard: [sg:critical?]
On trunk I'm just seeing a stack overflow in CSSParserImpl::SkipUntil recursively calling itself.  Are you seeing crashes that aren't stack overflows?
That's what I'm seeing, too.
Whiteboard: [sg:critical?] → [sg:dos] recursion crash
Why wouldn't it have the same problem on Mac and Linux? Maybe Windows uses a smaller stack this particular testcase isn't nested enough to crash Mac/Linux?
Related to bug 432561?
Yes.

(The only reason I'd expect a platform difference is platform differences in stack size and the size of the stack frame for the function in question.)


If anyone has any evidence of a bug other than stack overflow, feel free to reopen, but...
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 432561
Group: core-security
You need to log in before you can comment on or make changes to this bug.