Closed Bug 608554 Opened 15 years ago Closed 13 years ago

Firefox crashes when executing the given javascript

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gauravgulati81, Unassigned)

References

Details

(Keywords: crash, csectype-oom, testcase, Whiteboard: [sg:dos oom])

Attachments

(1 file, 1 obsolete file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Firefox crashes when executing the given javascript. Please find the test file attached. Reproducible: Always Steps to Reproduce: 1. Launch an html page having the following javascript: <script type="text/javascript"> var num=99999999; var str = unescape("%u9999%u9999"); var i = Math.ceil(Math.log(num) / Math.LN2), res = str; do { res += res; } while (0 < --i); document.write(res.slice(0, 999999999999)); </script> Actual Results: Firefox crashes. Expected Results: Firefox should not crash.
Attached file Please ignore this script (obsolete) —
Attachment #487196 - Attachment description: script used for testing → Please ignore this script
Please use the following javascript for reproducing the bug: <html><body> <script type="text/javascript"> var num=49000000; var str = unescape("%u9999%u9999"); var i = Math.ceil(Math.log(num) / Math.LN2), res = str; do { res += res; } while (0 < --i); document.write(res.slice(0, 999999999999)); </script> </body></html>
With Firefox 1.9.2 DEBUG on Linux x86-64 *__GI_raise (sig=<value optimized out>) at sysdeps/unix/sysv/linux/raise.c:64 *__GI_abort () at abort.c:92 g_logv () from /lib/libglib-2.0.so.0 g_log () from /lib/libglib-2.0.so.0 g_realloc () from /lib/libglib-2.0.so.0 pango_glyph_string_set_size () from /usr/lib/libpango-1.0.so.0 ?? () from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so pango_shape () from /usr/lib/libpango-1.0.so.0 gfxPangoFontGroup::CreateGlyphRunsItemizing gfxPangoFonts.cpp:3088 gfxPangoFontGroup::MakeTextRun gfx/thebes/src/gfxPangoFonts.cpp:2416 TextRunWordCache::MakeTextRun gfx/thebes/src/gfxTextRunWordCache.cpp:685 MakeTextRun layout/generic/nsTextFrameThebes.cpp:436 BuildTextRunsScanner::BuildTextRunForFrames nsTextFrameThebes.cpp:1783 BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrameThebes.cpp:1214 BuildTextRuns layout/generic/nsTextFrameThebes.cpp:1148 nsTextFrame::EnsureTextRun layout/generic/nsTextFrameThebes.cpp:1972 nsTextFrame::Reflow layout/generic/nsTextFrameThebes.cpp:6126 g_realloc aborts on OOM - this is the expected behavior.
On Windows, this is likely a dupe of bug 608336.
With Firefox 1.9.2 DEBUG on OSX 10.5 I got the occasional OOM abort from |operator new|, other than that it just hanged consuming CPU cycles -- no nasty looking crashes (YMMV).
Please execute the 2nd attachment to generate the crash.... the 1st attachment was made by mistake.
Attachment #487196 - Attachment is obsolete: true
Yes, my tests above was with attachment 487197 [details].
Testing 1.9.2 debug build on Windows XP with the patch for bug 608336 - I get only safe OOM abort from |operator new|.
Keywords: testcase
Whiteboard: [sg:dos oom]
Status: UNCONFIRMED → NEW
Depends on: CVE-2010-3769
Ever confirmed: true
Fixed by bug 608336. Gaurav, please verify with the latest 3.6.13 candidate build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.13-candidates/ Note that we will still crash, that is expected, but the crash should be a deliberate call to abort() or similar when we run out of memory.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Re-tested in version 15.0.1. The defect is reproducible. The browser crashes as soon as the script is executed.
Re-test performed on Win XP SP3.
<in mail to sec@> Hi, This bug is reproducible in Firefox version 15.0.1. But, I am unable to re-open the defect in bugzilla. Thanks, Gaurav Gulati.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Per comment 10: Note that we will still crash, that is expected, but the crash should be a deliberate call to abort() or similar when we run out of memory. There are other bug reports tracking the work needed to implement memory quotas per tab and such features to prevent individual pages from consuming too much memory. Again, a *safe crash* is expected. Please don't reopen unless you see something different - or in that case, better file a new bug.
Status: REOPENED → RESOLVED
Closed: 15 years ago13 years ago
Resolution: --- → FIXED
Group: core-security
Keywords: crash, csec-oom
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: