Firefox Heap Corruption

May 21, 2008 – 6:08 AM

I forgot to tell you all about this actually. I found this about 8 months back and never discussed it for various reasons. Since I saw that Mozilla has fixed a lot of memory leaks inside Firefox 2/3, I guess it’s safe to say I can talk about this now. Still it works in the latest Firefox build. So, what is going on? Well, I found out that when you utilize the document.open, document.write, and document.close procedure by writing into an Iframe, it usually runs into trouble when a block of code fails to execute between writing in the JSframe and closing the JSframe. Sounds plausible so far I guess, but it’s more interesting when you use an empty applet. An empty applet fails to load and therefore the JSframe can’t close the writing procedure since Firefox already closed it because of the applet failing -or- because there are instructions being written to the heap due to Java memory allocation, on the same time Javascript tries to close the Iframe. That results into the problem that the parent JS thread still tries to close the iframe -since that was the instruction- but can’t 🙂 which in terms eats it’s way on the heap, because it’s running multiple instructions in a process -which heaps are for eh- which then results in possible invalid memory I figured, then gives up and goes into reverse. 😉

When executing the example below, it tries to load the applet, runs into memory and fails to close. In my test environment the browser becomes unresponsive and text being typed in the url-bar is reversed. If I let it run a couple of minutes, or try to navigate it results into a heap corruption, for God knows what. Anyway, I am too lazy to perform a stack trace, I’ll leave that as an exercise for you, and also because my current copy of AutoDebug has expired 🙂 Heap corruptions are usually very serious but hard to exploit correctly, because if controlled properly it can be used to execute code on a users system. I won’t go into that because I simply don’t have the time, concentration nor interest for it. So bear with me on this one, I might do an article on this in the near future.

<script>

// It might not work on your platform due to a ton of reasons.

// tested on WinXP SP2 JRE version 1.6.0_01

function run() {

	var data = '<applet src="javascript:" id="x">';

	y.document.open();

	y.document.write(data);

	y.document.close();

}

</script>

<input name="button" value="Run" onclick="run()" type="button">

<iframe name="y" id="x" src="" frameborder="1" height="200"></iframe>

Source: 0x000000