Firefox Tab Crash MOZ_CRASH() [@ mozilla::gfx::DrawTargetRecording::CreateSimilarDrawTarget]
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: fazim.pentester, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Crash Data
Attachments
(1 file)
|
(deleted),
image/png
|
Details |
screenshot.png
The code below causes the tab to crash. I have tried the latest version of ASan Nightly Nightly, but it did not capture any traces.
<!DOCTYPE html>
<html>
<head>
<style>
textarea {
mask: conic-gradient(at 94% 100%, blue 0% 100%) 66em 75% repeat repeat padding-box luminance;
border-right-style: inset;
background-clip: text;
}
</style>
</head>
<body>
<textarea cols="9999"></textarea>
</body>
</html>
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 1•1 year ago
|
||
Is this a security bug, or the browser just gave up on my shenanigans
|
||
Comment 2•1 year ago
|
||
I can reproduce on 115 beta by copy-pasting the string from comment 0 into https://jsbin.com - https://crash-stats.mozilla.org/report/index/e877f248-25b2-48fd-ad69-2ab3c0230621 .
I think this is a safe tab crash given the MOZ_CRASH call, so not sure it needs to be sec-sensitive, though I guess it's a DoS vector given the reproducible testcase. Hopefully the graphics team can clarify further.
|
||
Comment 3•1 year ago
|
||
Jeff, do you know who would be the right person to investigate / fix this? Do we think it needs to remain as a sec-bug?
|
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
I don't think this is a security bug. It seems like a dup of 1757003
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•