Created attachment 816219 [details] firefox-backtrace.txt When a resource with a overly long path (~40kb in my case) is opened inside a HTTP digest authentication realm (previously authenticated) is openened the application (here: Firefox 17.0.9 ESR, gentoo) crashes with mozalloc_abort, backtrace attached. Test page attached, or full test case available here: http://mbechler.eenterphace.org/firefox-test.htm Not marking for Security as this seems to be DOS only and requires previous authentication to the realm, so only minor impact is expected.
Confirmed. The test page crashes my fresh (Jan 20 2014) mozilla-central build as well.
Created attachment 8362491 [details] [diff] [review] patch fixing this issue The attached patch makes the problem go away for me. The problem was that the path length was stored in a *signed* 16 bit variable so it wrapped over 32K which then caused the code to pass in a negative length where a positive was assumed and.... *bang*
Assignee: nobody → daniel
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8362491 - Flags: review?(jduell.mcbugs)
Comment on attachment 8362491 [details] [diff] [review] patch fixing this issue Review of attachment 8362491 [details] [diff] [review]: ----------------------------------------------------------------- Looks good!
Attachment #8362491 - Flags: review?(jduell.mcbugs) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc5112c72bba Thanks for the patch, Daniel! One request, please make sure that future patches include commit information when requesting checkin. Makes life much easier for those landing on your behalf :) https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
The testcase in comment 0 crashes the 01/03 mozilla-central like this: https://crash-stats.mozilla.com/report/index/4379ca97-f989-4400-ad9f-7c8f32140326. Firefox 29.0b2 doesn't crash with the same testcase. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.