Closed
Bug 783888
Opened 12 years ago
Closed 2 years ago
Stack overflow via window.open.
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: skyskif, Unassigned)
Details
(6 keywords)
Crash Data
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347
Steps to reproduce:
moved to the site
Actual results:
program stopped
Expected results:
launch site
|
Reporter | |
Comment 1•12 years ago
|
||
Stack overflows are not exploitable.
Group: core-security
Component: Untriaged → DOM
Product: Firefox → Core
Summary: Buffer Overflow via javascript → Stack overflow via window.open.
|
||
Updated•12 years ago
|
Severity: normal → critical
Status: UNCONFIRMED → NEW
tracking-firefox-esr10:
--- → ?
tracking-firefox15:
--- → ?
tracking-firefox16:
--- → ?
tracking-firefox17:
--- → ?
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
|
||
Comment 3•12 years ago
|
||
Not a recent regression nor a critical security issue.
tracking-firefox-esr10:
? → ---
|
||
Updated•12 years ago
|
Attachment #653187 -
Attachment mime type: text/plain → text/html
|
|
||
Updated•12 years ago
|
Attachment #653187 -
Attachment description: bag mozilla.htm → The file causing the problem.
|
|
Reporter | |
Comment 4•12 years ago
|
||
another example
<script type="text/javascript">
while(1) {
window.open('file:///C:/Documents%20and%20Settings/skif/%D0%A0%D0%B0%D0%B1%D0%BE%D1%87%D0%B8%D0%B9%20%D1%81%D1%82%D0%BE%D0%BB/bag%20mozillaNOW.htm');
}
</script>
bp-45a0cedc-84a2-429e-be4e-3046d2120914
|
|
||
Updated•12 years ago
|
Crash Signature: [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ]
|
|
Reporter | |
Comment 5•12 years ago
|
||
Crash Address 0x183f198
|
|
Reporter | |
Comment 6•12 years ago
|
||
another example
<script type="text/javascript">
while(1) {
self.setInterval(window.open(),1)
}
</script>
Signature: nsJSContext::TerminationFuncClosure::~TerminationFuncClosure()
Crash Address 0x179f198
|
|
Reporter | |
Comment 7•12 years ago
|
||
|
|
Reporter | |
Comment 8•12 years ago
|
||
to the collection of
<script type="text/javascript">
while(1) {
setTimeout(window.open(),1)
}
</script>
|
||
Updated•9 years ago
|
Crash Signature: [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ] → [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ]
[@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure ]
|
||
Comment 9•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 10•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats. Other resolutions may be appropriate for other reasons.
(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes. The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Comment 12•2 years ago
|
||
I tried the test case, but it just kind of sits there not doing much. It uses 100% of a CPU, but thanks to Fission and e10s the UI and other pages are going to remain responsive until the user closes the tab.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 2 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•