while(true) {window.open(...);} crashes Firefox

NEW
Unassigned

Status

()

Firefox
Security
--
critical
6 years ago
3 months ago

People

(Reporter: Kai Sellgren, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, 4 keywords)

6 Branch
crash, csectype-dos, csectype-oom, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos])

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1

Steps to reproduce:

I ran this script:

while (true) {window.open('http://google.fi');}


Actual results:

Firefox crashed.


Expected results:

Firefox should pop up "Do you want to terminate the script?" and actually terminate it.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
Whiteboard: [sg:dos]
(Reporter)

Comment 1

6 years ago
I noticed an interesting thing. Firefox has this ad-block support. The right side handle allows you to enable specific pop-ups that were about to open. This list keeps getting bigger and bigger with each window.open() call so maybe the issue lies with that (the drop down getting enormous)?
Severity: normal → critical
Duplicate of this bug: 769760

Updated

2 years ago
Duplicate of this bug: 1193292

Updated

2 years ago
Duplicate of this bug: 1169918

Updated

2 years ago
Blocks: 432687

Comment 5

2 years ago
The Platform field says "Windows 7", but the problem occurs under Linux too. Actually, with Fvwm + manual window placement, this is worse, as this completely blocks the whole desktop UI.

Updated

2 years ago
Keywords: csectype-dos, csectype-oom
OS: Windows 7 → All
Hardware: x86_64 → All

Updated

2 years ago
Duplicate of this bug: 1203439

Updated

2 years ago
Duplicate of this bug: 1209016

Updated

2 years ago
Duplicate of this bug: 1214500

Comment 9

2 years ago
An update I got yestaday has rendered another instance of this bug useless what would happen is if the window.open(string) is small it will just hang and you have to close it with taskman but if you increase the length of the string to let's say 10000 now open it and Firefox will hang then close with oom crash long and if you check it out in a debugger an addres of unk_xxxxxx gets over written with a section of the string you place in the ver and as of the update yestaday this no longer happens but the crash is happning in xul.dll unable to write 0x0 to invalid address 0x0000000

Updated

a year ago
Duplicate of this bug: 1242286
Depends on: 1269917

Updated

3 months ago
Duplicate of this bug: 1338966

Updated

3 months ago
Duplicate of this bug: 1339352
You need to log in before you can comment on or make changes to this bug.