Open
Bug 1462008
Opened 6 years ago
Updated 1 month ago
Small jpeg triggers runaway memory usage in Firefox 59 -> Nightly
Categories
(Core :: Graphics: ImageLib, defect, P3)
Tracking
()
NEW
People
(Reporter: geeknik, Unassigned)
References
Details
(5 keywords, Whiteboard: [gfx-noted])
Attachments
(2 files)
While fuzzing cjpeg I discovered a jpeg that would trigger an immediate increase in Firefox 59, 60 and Nightly (build ID 20180516100125) memory usage from around 500MB to the system maximum before the process is killed. The only thing I could find in the browser console were these messages: Corrupt JPEG data: 131 extraneous bytes before marker 0xda Corrupt JPEG data: 131 extraneous bytes before marker 0xda
Reporter | ||
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
On Mac (variety of Release and Nightly versions) the memory seems to cap out at around 12GB and doesn't get killed, although the CPU keeps churning so I'm not sure what it's doing exactly. With e10s it's easy to close the affected tab, and if it dies not that harmful to the rest of the browser. Or are you seeing something different, like killing the parent process, too?
Flags: sec-bounty-
Reporter | ||
Comment 3•6 years ago
|
||
After churning @ 100% CPU for 2m35.4seconds on a Debian 9.3 VM assigned 4GB of RAM and 4GB of swap, the entire browser is killed by the OS.
On my machine, it very quickly allocates ~12 thousand megabytes, thinks for about 35 seconds, then displays a mid-gray square image zoomed out, with native dimensions of 65395x65395 pixels. With 24 bit RGB encoding this image is about 12 gigabytes of bitmap data, which explains the memory usage.
Comment 5•6 years ago
|
||
Without looking into this file specifically I would guess this is a dupe of bug 1277397.
Updated•6 years ago
|
Flags: needinfo?(tnikkel)
Priority: -- → P3
Whiteboard: [gfx-noted]
Comment 6•3 years ago
|
||
Hello Brian! Does this issue still reproduce in the latest Firefox if so could you please provide some updated steps to reproduce or a testcase for this.
Thank you!
Flags: needinfo?(geeknik)
Reporter | ||
Comment 7•3 years ago
|
||
Yes, this issue still reproduces in the latest Firefox, I am using Nightly (Build ID 20210209092956) and I Just clicked on the original testcase attached to this report and the tab crashed after Firefox exhausted all RAM and SWAP. Other things enabled on this profile include Fission and WebRender (Software).
Flags: needinfo?(geeknik)
Reporter | ||
Updated•3 years ago
|
Updated•2 years ago
|
Severity: critical → S2
Comment 8•2 years ago
|
||
High mem usage only triggered by files specifically constructed to cause such a problem, lowering severity -> S3.
Severity: S2 → S3
Flags: needinfo?(tnikkel)
Updated•2 years ago
|
See Also: → CVE-2023-32209
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•