Closed Bug 885622 Opened 12 years ago Closed 12 years ago

Out-Of-Memory--Memory Corruption issue

Categories

(Firefox :: General, defect, P1)

Product:
Firefox
Component:
General
Version:
21 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jigsaw0658, Unassigned)

Details

(Keywords: crash, csectype-oom, sec-low)

Attachments

(2 files)

Issue details.txt
1.01 KB, text/plain
Details
Debugger analysis
128.31 KB, image/png
Details
Attached file Issue details.txt
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Steps to reproduce: First step : I used basically the document object "document.write " to write NULL bytes Second step : I create a Loop that can execute document.write to print the "document.body.innerHTML" under a condition that initiate the variable used in the loop (var i=0) ; then the 2nd state to evaluate the condition of the initial variable with ( i<=xx ) and the final state to increases the 1st state . How I'm interacting with Firefox ? I created this concept to make the browser fall in endless dialog loop that leads to crash firefox and it's done succesfully, I exactly focused on the corruption of the memory location due to this error, and make the browser Unable to handle the OOM exception. Actual results: Directly after the execution of the code on the browser it stops working definitely until you kill the process . When I have debug the problem I get an Out of Memory messages. (I have mentionned in the file ) Expected results: Normally when I execute the code, the browser should behave as well as the other browsers and print what I wanted to write even if the loop exists.
Severity: normal → major
Component: Untriaged → General
Flags: needinfo?(dveditz)
Keywords: crash, platform, sec-vector
Priority: -- → P1
Attached image Debugger analysis
Just a DOS, nothing exploitable. opening up.
Group: core-security
Flags: needinfo?(dveditz)
Keywords: platform, sec-vectorcsec-oom, sec-low
So there is no FIX in this case !
Flags: needinfo?(benjamin)
What can you do in this situation, I saw several same bugs and it was a use-after-free vulnerability ? like http://www.securityfocus.com/bid/57218
This is not a use-after-free, it's just allocating lots of memory and we eventually intentionally crash when a small allocation fails. This is not something that we're likely to fix except by using content processes to make sure that crashing content doesn't take down the entire browser.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Flags: needinfo?(benjamin)
Resolution: --- → INCOMPLETE
Okay you'd better alert me when you take the right decision and thank you again. Please I want you to investigate a bug that I have requested some days ago, this is the link : https://bugzilla.mozilla.org/show_bug.cgi?id=884521 I added you to the CC list
Flags: needinfo?(benjamin)
Flags: needinfo?(benjamin)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: