Closed Bug 606790 Opened 15 years ago Closed 14 years ago

Firefox crashed after document.write function execution

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: tomaszkalinowski123, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Example code
274 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 This code still crashed Firefox (sometimes DEP report error): var payload = ""; var i=0; for(i=0;i<100000000;i++) payload+="a"; document.write(payload); Reproducible: Always
Attached file Example code
Exmple
Version: unspecified → 3.6 Branch
Component: General → Security
Keywords: crash
Severity: normal → critical
Priority: -- → P1
I get a slow script warning with FF3.11 and Seamonkey trunk on win32 Why do you think that the crash is security related ? Please post a crash ID https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report
QA Contact: general → firefox
Firefox 3.6.12 repair this vulnerable. I discovered it one day before it: https://bugzilla.mozilla.org/show_bug.cgi?id=607222
This is nothing like bug 607222. The long string here is causing an Out of Memory (OOM) condition, which should fail safely. There may be cases where it doesn't if you're seeing a DEP violation (on WinXP, right?). IIRC we have a nearly identical bug based on a milw0rm or exploit-db testcase, this is a fairly obvious DoS attack and has been reported a lot.
Whiteboard: DUPEME
Component: Security → General
Priority: P1 → --
Product: Firefox → Core
QA Contact: firefox → general
Version: 3.6 Branch → unspecified
Reporter -> Are you still experiencing this issue with the latest version of Firefox 6? Does the issue occur with the latest nightly? http://nightly.mozilla.org/
Crash Signature: [@ libxul.so (deleted)@0x9a59fa ]
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: