Memory exhaustion (OOM) crashes with long JS strings

RESOLVED WORKSFORME

Status

()

Firefox
General
--
critical
RESOLVED WORKSFORME
8 years ago
8 years ago

People

(Reporter: geinblues, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
Build Identifier: Mozilla/5.0, rv:1.9.2.3, Gecko/20100401

Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed. 
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)

securityfocus post: http://www.securityfocus.com/archive/1/511329/30/0/threaded



Reproducible: Always

Actual Results:  
Crashes, code execution posibility

Expected Results:  
Creashes and code execution

Comment 1

8 years ago
Created attachment 446140 [details]
firefox_3.6.3_dos_poc_1.htm

Comment 2

8 years ago
Created attachment 446142 [details]
firefox_3.6.3_dos_poc_2.html

Comment 3

8 years ago
This is similar enough to bug 537620, and not-scary enough, that I'm treating it as a dup.  My bug 537620 comment 5 still stands, although this testcase wasn't even claimed to produce anything other than a null deref.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Keywords: crash
Resolution: --- → DUPLICATE
Summary: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities → Memory exhaustion (OOM) crashes with long JS strings
Whiteboard: [sg:dos]
Duplicate of bug: 537620
(Reporter)

Comment 4

8 years ago
Ofcourse Memory bug 537620 and others also Using memory Exahausion (loop)... but not the same result ( crash location ) it because different ways to write PoC code. so i don't think as mozilla firefox peopls. yeah. i just want to solve this bug ( all cases ) so posted it. and i think "im first of this vulnerability for my PoC and the way.". NULL Deref is really scray... right.
Resolution: DUPLICATE → WORKSFORME
You need to log in before you can comment on or make changes to this bug.