Closed
Bug 537620
Opened 15 years ago
Closed 3 years ago
crash with OOM, document.write, <marquee>
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: flouf, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos])
Attachments
(1 file)
209 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) I've searched possibility to remote Crash with the last version of Mozilla Firefox and I found it. When I do it with a debugger I saw EBX and other pile are corrupt with a lot of ("A"=> example). So it's a Remote Crash with (I think) Memory Corruption. The script is a loop for (150 times) in javascript with document.write. It works on Seamonkey too. Reproducible: Always Steps to Reproduce: 1. Code a while (150 times) in javascript 2. With buffer+=buffer (="A") and document.write(buffer+buffer); 3. Open it remotely. Actual Results: A remotely Crash with EBX pile corrupt. Possibilty Memory Corruption ?
Comment 1•15 years ago
|
||
Would you mind attaching a full testcase as an attachment?
Reporter | ||
Comment 2•15 years ago
|
||
Comment 3•15 years ago
|
||
Possible stack from a non-debug nightly build: #0 0x018f9616 in gfxFont::Measure(gfxTextRun*, unsigned int, unsigned int, gfxFont::BoundingBoxType, gfxContext*, gfxFont::Spacing*) () from ./libxul.so #1 0x018f99f6 in gfxTextRun::AccumulateMetricsForRun(gfxFont*, unsigned int, unsigned int, gfxFont::BoundingBoxType, gfxContext*, gfxTextRun::PropertyProvider*, unsigned int, unsigned int, gfxFont::RunMetrics*) () from ./libxul.so #2 0x018f9cf5 in gfxTextRun::MeasureText(unsigned int, unsigned int, gfxFont::BoundingBoxType, gfxContext*, gfxTextRun::PropertyProvider*) () from ./libxul.so #3 0x018fa2b3 in gfxTextRun::BreakAndMeasureText(unsigned int, unsigned int, int, double, gfxTextRun::PropertyProvider*, int, double*, gfxFont::RunMetrics*, gfxFont::BoundingBoxType, gfxContext*, int*, unsigned int*, int, gfxBreakPriority*) () from ./libxul.so
Reporter | ||
Comment 4•15 years ago
|
||
So arbitrary code could be executed with this remote crash ? If it could, i'll try to code a Proof of Concept and write it here, if you code it before post it here too. /599eme Man.
Updated•14 years ago
|
Summary: Remote Crash with possibility of Memory Corruption (document.write loop with html) → Possible memory corruption with OOM, document.write, <marquee>
Comment 5•14 years ago
|
||
This testcase is guaranteed to make Firefox run out of memory (OOM), slowly, so it will probably crash in a different way on each computer depending on which malloc/new call fails first :( Can you attach some information that you got from the debugger in the case that looked like memory corruption? A stack trace would be good. If you can figure out how we got from OOM to memory corruption, that would be superawesome. To be honest, we could test OOM situations better than we do. For example, we could artificially make malloc fail once in a hundred million times, combined with running our automated regression tests or fuzzing. But we know that so much of our OOM-handling code is wrong that we'd rather fix it all at once (bug 427099).
Comment 6•14 years ago
|
||
cf bug 441675 from security researcher "SkyLined".
Updated•14 years ago
|
Whiteboard: [sg:needinfo]
Comment 7•14 years ago
|
||
This has been publicly reported at http://www.securityfocus.com/bid/38132.
Updated•14 years ago
|
Group: core-security
Reporter | ||
Comment 9•14 years ago
|
||
Reed Loden, i've post it on some security board, and a stupid people steal it on a forum (I know which because i've put a space before the "DoS"...)
Comment 10•14 years ago
|
||
Mentioned on sla.ckers.org forum: http://sla.ckers.org/forum/read.php?13,33597,33597
Updated•14 years ago
|
Comment 13•14 years ago
|
||
599eme Man's exploit is similar with below CVE-2006-2723 CVE-2006-2723: Unspecified versions of Mozilla Firefox allow remote attackers to cause a denial of service (crash) via a web page that contains a large number of nested marquee tags. NOTE: a followup post indicated that the initial report could not be verified. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2723 hmm.. cause securityfocus assigned this problem on bid list. and cve-id doesn't assigned on it?!
Comment 18•3 years ago
|
||
Is this issue still reproducible or can it be closed?
Comment 19•3 years ago
|
||
Marking this as Resolved > Incomplete due to the lack of info.
If anyone is able to reproduce this issue re-open it or file a new bug.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•