Closed
Bug 887226
Opened 11 years ago
Closed 9 years ago
OOM [@JS_BasicObjectToString mozilla::detail::GuardObjectNotificationReceiver::init nsTArray_Impl<nsIAtom*, nsTArrayInfallibleAllocator>::operator[] obj_toString js::CompartmentChecker::check]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, csectype-oom)
Attachments
(2 files)
Found via bughunter. Loading http://goo.gl/b4gxL -> http://library.iitd.ac.in/title.php?show=%27%3E%3Cimg%20src=%22http://s3.amazonaws.com/kym-assets/photos/images/original/000/096/044/trollface.jpg%22%20onLoad=%22javascript:alert%281%29;%22%20/%3E%3Cinput%20type=%22text%22 result in windows in OOM. For linux it was reported OOM [@JS_BasicObjectToString mozilla::detail::GuardObjectNotificationReceiver::init nsTArray_Impl<nsIAtom*, nsTArrayInfallibleAllocator>::operator[] obj_toString js::CompartmentChecker::check] Creating a testcase might turn out very difficult here, since i tried to download this page for a local testcase and ended up with a +2GB file.
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
It isn't entirely clear that this is a security problem. In the Linux stack we're crashing in the compartment checker, which is a little odd, and on Windows we're crashing with the OOM crasher.
Updated•11 years ago
|
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 4•9 years ago
|
||
url is 404
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•