Closed
Bug 744637
Opened 12 years ago
Closed 11 years ago
Firefox DoS using exponential string growth and document.write()
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 612029
People
(Reporter: Lostmon, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos oom] DUPE)
Crash Data
Attachments
(1 file)
639 bytes,
text/plain
|
Details |
crash report => https://crash-stats.mozilla.com/report/index/bp-01d43bd1-9daf-4c19-bce3-97a712120411
Reporter | ||
Comment 1•12 years ago
|
||
i think that the crash is tigger when load a malformed page with a malicious script, that fill up the memory, this is a posible memory corruption
Component: Bookmarks & History → Untriaged
Reporter | ||
Updated•12 years ago
|
Crash Signature: 5d3dfddd-6fe3-429c-bffc-c1dd02120411
Reporter | ||
Comment 2•12 years ago
|
||
This is a testcase for this issue , the html file fill up the memory and after a 10 or 20 seconds ( depend of memory instaled ) firefox Crash
Comment 3•12 years ago
|
||
both crashes you link, bp-01d43bd1-9daf-4c19-bce3-97a712120411 from comment 0 and bp-5d3dfddd-6fe3-429c-bffc-c1dd02120411 from the crash-sig box are aborts in our out-of-memory handler -- basically Firefox detects a potentially dangerous situation and commits suicide rather than allow things to continue. There's no evidence of an exploitable vulnerability here beyond a denial of service crash
Group: core-security
Crash Signature: 5d3dfddd-6fe3-429c-bffc-c1dd02120411 → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsHtml5TreeBuilder::flushCharacters() ]
[@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsHtml5TreeBuilder::characters(wchar_t const*, int, int) ]
Component: Untriaged → String
Product: Firefox → Core
QA Contact: bookmarks → string
Summary: Firefox DoS on malicious script → Firefox DoS using exponential string growth and document.write()
Whiteboard: [sg:dos oom] DUPE
Target Milestone: Firefox 11 → ---
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•3 years ago
|
Component: String → XPCOM
You need to log in
before you can comment on or make changes to this bug.
Description
•