Closed Bug 966870 Opened 6 years ago Closed 6 years ago

JSONP and a huge file crashes with a large infallible allocation at nsStreamLoader::OnStartRequest

Categories

(Core :: Networking, defect)

26 Branch
x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: ali.of.south, Assigned: lpy)

References

(Blocks 1 open bug)

Details

(Whiteboard: [mentor=benjamin@smedbergs.us][lang=c++][good first bug])

Attachments

(2 files)

Attached file index.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

I run an html file with this code:
<!DOCTYPE html>
	<html>
		<head>
			<meta charset="UTF-8" />
			<title>Hi</title>
			<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
			<script type="text/javascript">
					$.ajax({
						dataType: 'jsonp',
  						url: 'http://ftp-archive.freebsd.org/pub/FreeBSD/releases/amd64/ISO-IMAGES/9.2/FreeBSD-9.2-RELEASE-amd64-dvd1.iso',
  						success: function () {
						 },
					});
			</script>
		</head>
		<body>
		</body>
	</html>


Actual results:

Firefox crashed!


Expected results:

Firefox simply should download my file
do you have a crash signature? If not can you get one from about:crashes?
Flags: needinfo?(ali.nowruzi)
There are a couple things going on here:

1) you told jquery that this was JSONP: this means we try to load the URL as JS. It doesn't make any sense to try and load an .iso as JS: presumably what you actually wanted was to either link to the ISO (so that the user could save it to disk) or to do something with the data in webpage JS, in which case you need to read https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Sending_and_Receiving_Binary_Data

2) Please provide the crash ID from about:crashes. Firefox will intentionally and safely crash if we run out of memory in many cases, so unless this is an unsafe crash we don't need to leave this bug security-private.
Yes.
Crash ID: https://crash-stats.mozilla.com/report/index/35175f9d-3e77-477a-9c17-15b902140203
Flags: needinfo?(ali.nowruzi)
ok. That's an intentional crash and not a security issue by itself. (It is a DOS, but we don't keep those hidden.) This is an allocation site that should be using fallible allocation and failing to load when allocation fails.
Blocks: 943017
Group: core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true
Product: Firefox → Core
Summary: JSONP and a huge file → JSONP and a huge file crashes with a large infallible allocation at nsStreamLoader::OnStartRequest
Whiteboard: [mentor=benjamin@smedbergs.us][lang=c++][good first bug]
http://hg.mozilla.org/releases/mozilla-release/annotate/39faf812aaec/netwerk/base/src/nsStreamLoader.cpp#l81 is the code link. This should probably be using moz_malloc instead of NS_Alloc and that might be sufficient all by itself. A test would be nice, but I'm not sure we currently have a simple way to test OOM behavior like this. Maybe we need an xpcshell API to cap the jemalloc heap size?
Assignee: nobody → pylaurent1314
Attached patch bug966870.patchSplinter Review
Attachment #8369894 - Flags: review?(benjamin)
Attachment #8369894 - Flags: review?(benjamin) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/26cdcab860cf
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
QA Whiteboard: [good first verify]
You need to log in before you can comment on or make changes to this bug.