OOM [@JS_BasicObjectToString mozilla::detail::GuardObjectNotificationReceiver::init nsTArray_Impl<nsIAtom*, nsTArrayInfallibleAllocator>::operator[] obj_toString js::CompartmentChecker::check]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
RESOLVED WORKSFORME
5 years ago
3 years ago

People

(Reporter: Tomcat, Unassigned)

Tracking

(Blocks: 1 bug, {crash, csectype-oom})

Trunk
x86
Windows 7
crash, csectype-oom
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Found via bughunter.

Loading  http://goo.gl/b4gxL -> http://library.iitd.ac.in/title.php?show=%27%3E%3Cimg%20src=%22http://s3.amazonaws.com/kym-assets/photos/images/original/000/096/044/trollface.jpg%22%20onLoad=%22javascript:alert%281%29;%22%20/%3E%3Cinput%20type=%22text%22

result in windows in OOM. For linux it was reported OOM [@JS_BasicObjectToString mozilla::detail::GuardObjectNotificationReceiver::init nsTArray_Impl<nsIAtom*, nsTArrayInfallibleAllocator>::operator[] obj_toString js::CompartmentChecker::check]

Creating a testcase might turn out very difficult here, since i tried to download this page for a local testcase and ended up with a +2GB file.
(Reporter)

Comment 1

5 years ago
Created attachment 767715 [details]
linux stack
(Reporter)

Comment 2

5 years ago
Created attachment 767717 [details]
windows stack
It isn't entirely clear that this is a security problem.  In the Linux stack we're crashing in the compartment checker, which is a little odd, and on Windows we're crashing with the OOM crasher.
Group: core-security
Keywords: crash, csec-oom
(Assignee)

Updated

4 years ago
Assignee: general → nobody
url is 404
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.