Closed Bug 608554 Opened 10 years ago Closed 9 years ago

Firefox crashes when executing the given javascript

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gauravgulati81, Unassigned)

References

Details

(Keywords: crash, csectype-oom, testcase, Whiteboard: [sg:dos oom])

Attachments

(1 file, 1 obsolete file)

script used for testing
337 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Firefox crashes when executing the given javascript. Please find the test file attached.

Reproducible: Always

Steps to Reproduce:
1. Launch an html page having the following javascript:

<script type="text/javascript">
var num=99999999;
var str = unescape("%u9999%u9999");
        var i = Math.ceil(Math.log(num) / Math.LN2),
            res = str;
        do {
            res += res;
        } while (0 < --i);
		
        document.write(res.slice(0, 999999999999));


</script> 
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
Attached file Please ignore this script (obsolete) —
Attachment #487196 - Attachment description: script used for testing → Please ignore this script
Please use the following javascript for reproducing the bug:

<html><body>

<script type="text/javascript">
var num=49000000;
var str = unescape("%u9999%u9999");
        var i = Math.ceil(Math.log(num) / Math.LN2),
            res = str;
        do {
            res += res;
        } while (0 < --i);
		
        document.write(res.slice(0, 999999999999));


</script> 
</body></html>
With Firefox 1.9.2 DEBUG on Linux x86-64

*__GI_raise (sig=<value optimized out>) at sysdeps/unix/sysv/linux/raise.c:64
*__GI_abort ()                    at abort.c:92
g_logv ()                         from /lib/libglib-2.0.so.0
g_log ()                          from /lib/libglib-2.0.so.0
g_realloc ()                      from /lib/libglib-2.0.so.0
pango_glyph_string_set_size ()    from /usr/lib/libpango-1.0.so.0
?? ()                   from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
pango_shape ()                    from /usr/lib/libpango-1.0.so.0
gfxPangoFontGroup::CreateGlyphRunsItemizing gfxPangoFonts.cpp:3088
gfxPangoFontGroup::MakeTextRun    gfx/thebes/src/gfxPangoFonts.cpp:2416
TextRunWordCache::MakeTextRun     gfx/thebes/src/gfxTextRunWordCache.cpp:685
MakeTextRun                       layout/generic/nsTextFrameThebes.cpp:436
BuildTextRunsScanner::BuildTextRunForFrames nsTextFrameThebes.cpp:1783
BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrameThebes.cpp:1214
BuildTextRuns                     layout/generic/nsTextFrameThebes.cpp:1148
nsTextFrame::EnsureTextRun        layout/generic/nsTextFrameThebes.cpp:1972
nsTextFrame::Reflow               layout/generic/nsTextFrameThebes.cpp:6126

g_realloc aborts on OOM - this is the expected behavior.
On Windows, this is likely a dupe of bug 608336.
With Firefox 1.9.2 DEBUG on OSX 10.5 I got the occasional OOM abort from
|operator new|, other than that it just hanged consuming CPU cycles --
no nasty looking crashes (YMMV).
Please execute the 2nd attachment to generate the crash.... the 1st attachment was made by mistake.
Attachment #487196 - Attachment is obsolete: true
Yes, my tests above was with attachment 487197 [details].
Testing 1.9.2 debug build on Windows XP with the patch for bug 608336 -
I get only safe OOM abort from |operator new|.
Keywords: testcase
Whiteboard: [sg:dos oom]
Status: UNCONFIRMED → NEW
Depends on: CVE-2010-3769
Ever confirmed: true
Fixed by bug 608336.

Gaurav, please verify with the latest 3.6.13 candidate build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.13-candidates/

Note that we will still crash, that is expected, but the crash should be
a deliberate call to abort() or similar when we run out of memory.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Re-tested in version 15.0.1.
The defect is reproducible. The browser crashes as soon as the script is executed.
Re-test performed on Win XP SP3.
<in mail to sec@>
Hi,

This bug is reproducible in Firefox version 15.0.1. But, I am unable to re-open the defect in bugzilla.



Thanks,
Gaurav Gulati.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Per comment 10:
Note that we will still crash, that is expected, but the crash should be
a deliberate call to abort() or similar when we run out of memory.

There are other bug reports tracking the work needed to implement
memory quotas per tab and such features to prevent individual pages
from consuming too much memory.

Again, a *safe crash* is expected.  Please don't reopen unless you
see something different - or in that case, better file a new bug.
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
Group: core-security
Keywords: crash, csec-oom
You need to log in before you can comment on or make changes to this bug.