Created attachment 584208 [details] crash report from automation 1. http://www.bilibili.tv/video/bangumi.html and many others on this site. 2. CPU pegs, consumes RAM until OOM crash but this bug is *not* about the OOM. To reproduce you need to exit the browser some time after the cpu pegs and the ram begins to increase but before the OOM abort. I've had best luck starting the browser under WinDBG. Reproducible on Windows/Linux Aurora/11, Nightly/12. Nightly on Windows XP with WinDBG and !exploitable says eax=feeefeee ebx=7ffdf000 ecx=080c1b5c edx=feeefeee esi=00398490 edi=0094f558 eip=017785f0 esp=0012f1e8 ebp=0012f1f8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 xul!mozilla::net::CallOnStop::Run+0x40: 017785f0 8b08 mov ecx,dword ptr [eax] ds:0023:feeefeee=???????? 0:000> !load winext/msec.dll 0:000> !exploitable *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!mozilla::net::CallOnStop::Run+0x0000000000000040 (Hash=0x7618023a.0x3a133d0b) The data from the faulting address is later used as the target for a branch.
Jason, can you look into this?
this is essentially a dup of 712572
> Jason, can you look into this? Yes. > this is essentially a dup of 712572 Does look that way. Do we want to make that bug secure too? Not sure this issue needs to be hidden.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 712572
You need to log in before you can comment on or make changes to this bug.