Closed Bug 783888 Opened 12 years ago Closed 1 year ago

Stack overflow via window.open.

Categories

(Core :: DOM: Core & HTML, defect)

14 Branch
defect

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox15 - ---
firefox16 - ---
firefox17 - ---

People

(Reporter: skyskif, Unassigned)

Details

(6 keywords)

Crash Data

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

moved to the site


Actual results:

program stopped


Expected results:

launch site
Stack overflows are not exploitable.
Group: core-security
Component: Untriaged → DOM
Product: Firefox → Core
Summary: Buffer Overflow via javascript → Stack overflow via window.open.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Not a recent regression nor a critical security issue.
Attachment #653187 - Attachment mime type: text/plain → text/html
Attachment #653187 - Attachment description: bag mozilla.htm → The file causing the problem.
another example

<script type="text/javascript">

while(1) {

window.open('file:///C:/Documents%20and%20Settings/skif/%D0%A0%D0%B0%D0%B1%D0%BE%D1%87%D0%B8%D0%B9%20%D1%81%D1%82%D0%BE%D0%BB/bag%20mozillaNOW.htm');

}
</script>

bp-45a0cedc-84a2-429e-be4e-3046d2120914
Crash Signature: [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ]
Crash Address	0x183f198
another example

<script type="text/javascript">
while(1) {

self.setInterval(window.open(),1)

}
</script>

Signature: nsJSContext::TerminationFuncClosure::~TerminationFuncClosure()

Crash Address	0x179f198
to the collection of

<script type="text/javascript">
while(1) {

setTimeout(window.open(),1)

}
</script>
Crash Signature: [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ] → [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure() ] [@ nsJSContext::TerminationFuncClosure::~TerminationFuncClosure ]
Keywords: sec-other
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Component: DOM → DOM: Core & HTML
Severity: critical → S2

I tried the test case, but it just kind of sits there not doing much. It uses 100% of a CPU, but thanks to Fission and e10s the UI and other pages are going to remain responsive until the user closes the tab.

Status: REOPENED → RESOLVED
Closed: 6 years ago1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: