566785 - Memory exhaustion (OOM) crashes with long JS strings

Status: RESOLVED WORKSFORME

(Firefox :: General, defect)

Description

[geinblues]

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
Build Identifier: Mozilla/5.0, rv:1.9.2.3, Gecko/20100401

Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed. 
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)

securityfocus post: http://www.securityfocus.com/archive/1/511329/30/0/threaded



Reproducible: Always

Actual Results:  
Crashes, code execution posibility

Expected Results:  
Creashes and code execution

Comment 1

[Bob Clary [:bc] (inactive)]

Attachment: firefox_3.6.3_dos_poc_1.htm

Comment 2

[Bob Clary [:bc] (inactive)]

Attachment: firefox_3.6.3_dos_poc_2.html

Comment 3

[Jesse Ruderman]

This is similar enough to bug 537620, and not-scary enough, that I'm treating it as a dup.  My bug 537620 comment 5 still stands, although this testcase wasn't even claimed to produce anything other than a null deref.

Comment 4

[geinblues]

Ofcourse Memory bug 537620 and others also Using memory Exahausion (loop)... but not the same result ( crash location ) it because different ways to write PoC code. so i don't think as mozilla firefox peopls. yeah. i just want to solve this bug ( all cases ) so posted it. and i think "im first of this vulnerability for my PoC and the way.". NULL Deref is really scray... right.