exponential string growth causes an OOM

RESOLVED DUPLICATE of bug 896165

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 896165
4 years ago
4 years ago

People

(Reporter: clay, Unassigned)

Tracking

({crash})

Trunk
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

1009 bytes, text/html
Details
(Reporter)

Description

4 years ago
found this from a long time ago was created for ff17 and reported dont think it ever got fixed properly.
(Reporter)

Comment 1

4 years ago
Created attachment 8356459 [details]
ff17sploit.html

Updated

4 years ago
Severity: normal → critical
Component: General → General
OS: Linux → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 27 Branch → Trunk

Updated

4 years ago
Keywords: crash
Group: core-security
It looks like the test case is just doubling the size of a buffer.

On OSX, it just ends up hanging the browser.  Are you seeing a crash on some other OS, like maybe Win32?  What is the crash id (this will show up in about:crashes)?
I'll throw this in JS for now...
Component: General → JavaScript Engine

Comment 4

4 years ago
On Win64 I was only able to reproduce the hang with current Nightly (64bit). It seems that 32bit versions (25.0.1 port, 26, 27, 28) and Waterfox 24 are not affected, but have a high memory usage.
I tested on Opera Next and IE11 as well, the result was a site crash and IE also hangs.

Firefox 25.0.1 in my Win8.1 (32bit) vm crashs immediately: https://crash-stats.mozilla.com/report/index/123250cf-c4d4-43ba-95ed-9261c2140108
Firefox 26 and Aurora 27 /28 hangs / freezes has a high memory and CPU usage.


So I think this bug is very critical for 32bis systems, especially on Firefox ESR.
The test case is just repeatedly doubling the size of the buffer, and eventually the browser safely hits an OOM crash, which is what the mozalloc_abort is.  I don't see any evidence of memory corruption.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: causes crash maybe more → exponential string growth causes an OOM
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 896165
You need to log in before you can comment on or make changes to this bug.