Closed
Bug 966870
Opened 10 years ago
Closed 10 years ago
JSONP and a huge file crashes with a large infallible allocation at nsStreamLoader::OnStartRequest
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: ali.of.south, Assigned: lpy)
References
(Blocks 1 open bug)
Details
(Whiteboard: [mentor=benjamin@smedbergs.us][lang=c++][good first bug])
Attachments
(2 files)
984 bytes,
text/html
|
Details | |
1.04 KB,
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131205075310 Steps to reproduce: I run an html file with this code: <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <title>Hi</title> <script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.min.js"></script> <script type="text/javascript"> $.ajax({ dataType: 'jsonp', url: 'http://ftp-archive.freebsd.org/pub/FreeBSD/releases/amd64/ISO-IMAGES/9.2/FreeBSD-9.2-RELEASE-amd64-dvd1.iso', success: function () { }, }); </script> </head> <body> </body> </html> Actual results: Firefox crashed! Expected results: Firefox simply should download my file
do you have a crash signature? If not can you get one from about:crashes?
Flags: needinfo?(ali.nowruzi)
Comment 2•10 years ago
|
||
There are a couple things going on here: 1) you told jquery that this was JSONP: this means we try to load the URL as JS. It doesn't make any sense to try and load an .iso as JS: presumably what you actually wanted was to either link to the ISO (so that the user could save it to disk) or to do something with the data in webpage JS, in which case you need to read https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Sending_and_Receiving_Binary_Data 2) Please provide the crash ID from about:crashes. Firefox will intentionally and safely crash if we run out of memory in many cases, so unless this is an unsafe crash we don't need to leave this bug security-private.
Reporter | ||
Comment 3•10 years ago
|
||
Yes. Crash ID: https://crash-stats.mozilla.com/report/index/35175f9d-3e77-477a-9c17-15b902140203
Flags: needinfo?(ali.nowruzi)
Comment 4•10 years ago
|
||
ok. That's an intentional crash and not a security issue by itself. (It is a DOS, but we don't keep those hidden.) This is an allocation site that should be using fallible allocation and failing to load when allocation fails.
Blocks: 943017
Group: core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true
Product: Firefox → Core
Summary: JSONP and a huge file → JSONP and a huge file crashes with a large infallible allocation at nsStreamLoader::OnStartRequest
Whiteboard: [mentor=benjamin@smedbergs.us][lang=c++][good first bug]
Comment 5•10 years ago
|
||
http://hg.mozilla.org/releases/mozilla-release/annotate/39faf812aaec/netwerk/base/src/nsStreamLoader.cpp#l81 is the code link. This should probably be using moz_malloc instead of NS_Alloc and that might be sufficient all by itself. A test would be nice, but I'm not sure we currently have a simple way to test OOM behavior like this. Maybe we need an xpcshell API to cap the jemalloc heap size?
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → pylaurent1314
Assignee | ||
Comment 6•10 years ago
|
||
Attachment #8369894 -
Flags: review?(benjamin)
Updated•10 years ago
|
Attachment #8369894 -
Flags: review?(benjamin) → review+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/26cdcab860cf
Keywords: checkin-needed
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/26cdcab860cf
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Updated•10 years ago
|
QA Whiteboard: [good first verify]
You need to log in
before you can comment on or make changes to this bug.
Description
•