Closed Bug 288143 Opened 20 years ago Closed 20 years ago

Browser goes into infinite loop while processing HTML font attribute

Categories

(Core Graveyard :: GFX: Gtk, defect)

Product:
Core Graveyard
Component:
GFX: Gtk
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: andys, Assigned: MatsPalmgren_bugz)

Details

(Keywords: hang)

Attachments

(2 files, 1 obsolete file)

Testcase (100000)
195.36 KB, text/html
Details
Patch rev. 2
3.23 KB, patch
benjamin
: approval1.8b3+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 The Mozilla browser goes into an infinite loop when trying to process an HTML page in *nix with the element/attribute pair <font face="a,a,a,...,a,a"/>, where the number of faces is greater than 2^16. This is due to the way that font faces are processed in FindStyleSpecificFont(PRUint32 aChar) in file nsFontMetricsGTK.cpp. The number of font faces (mFonts.Count()) is allowed to be greater than 2^16 while the counter mFontsIndex in the processing loop is of type PRUint16. When looping through the faces, mFontsIndex is incremented with the statement mFontsIndex++. If there are more than 2^16 font faces, mFontsIndex eventually returns to 0, and the loop never ends. Reproducible: Always Steps to Reproduce: 1. Create HTML page containing element/attribute pair <font face="a,a,a,...,a,a,a"/>, where the number of faces is greater than 2^16; 2. Load HTML page into Mozilla browser on *nix. Actual Results: Mozilla went into an infinite loop and did not respond, taking up more and more CPU. Mozilla then had to be killed. Expected Results: Mozilla should have processed the fonts without error.
Assignee: parser → blizzard
Component: HTML: Parser → GFX: Gtk
QA Contact: mrbkap → ian
IMO the severity should be set as "enhancement" as it is nearly impossible to have 2^16 fonts installed...
(In reply to comment #1) > IMO the severity should be set as "enhancement" as it is nearly impossible to > have 2^16 fonts installed... Of course this doesn't make sense ;), but it shouldn't be possible so to hang Mozilla with such faulty html.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Could you please attach a "minimal" testcase with this issue... minimal as in, 2^16+5 or so fonts specified and minimal html. This will help me (or more likely, someone else) be able to find where the problem is and possibly fix this. Also a link of at least one "production" page which this is a problem on will help boost it on developers priority list, I believe.
Flags: blocking1.8b3?
Attached file Testcase (100000)
Attached patch Patch rev. 1 (obsolete) — Splinter Review
Compiled and tested on GTK1, but not on the other platforms. GTK2 is not affected.
Attachment #187220 - Flags: superreview?(dbaron)
Attachment #187220 - Flags: review?(dbaron)
Comment on attachment 187220 [details] [diff] [review] Patch rev. 1 r+sr=dbaron if you fix mGenericIndex in nsFontMetricsOS2.h and nsFontMetricsWindows.h (And there are no object size changes for any of these changes either!)
Attachment #187220 - Flags: superreview?(dbaron)
Attachment #187220 - Flags: superreview+
Attachment #187220 - Flags: review?(dbaron)
Attachment #187220 - Flags: review+
Attached patch Patch rev. 2Splinter Review
Updated as David requested.
Attachment #187220 - Attachment is obsolete: true
Attachment #187251 - Flags: approval1.8b3?
Assignee: blizzard → mats.palmgren
Comment on attachment 187251 [details] [diff] [review] Patch rev. 2 a=me, I'll land this ASAP.
Attachment #187251 - Flags: approval1.8b3? → approval1.8b3+
fixed on trunk
Status: NEW → RESOLVED
Closed: 20 years ago
Flags: blocking1.8b3?
Resolution: --- → FIXED
Using build 2005-07-07-06 on Windows XP SeaMonkey trunk, it took around 47 seconds on a 3.2 GHz Intel Pentium 4 HT with 1 GB of PC 2700 DDR RAM, but no long-term hang. (Oddly enough, IE simply displays the HTML inline rather instantaneously.) Verified FIXED
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: