396791 - CSS parser uses uninitialized memory

Status: RESOLVED DUPLICATE of bug 389685

(Core :: CSS Parsing and Computation, defect)

Description

[Michal Zalewski]

Hello again,

This is a pretty interesting bug, actually, although I had no time to analyze it in great detail...

If STYLE="" parameter is encountered when parsing a tag (or just any other STYLE value that is semantically empty, that is consists of whitespaces and comments alone), Firefox CSS parser will apparently attempt to utilize the contents of a previous, already deallocated buffer and interpret this as a syntax element instead.

See bug URL for demo.

Using (and possibly freeing again) deallocated memory is obviously bad for security, and may easily lead to serious problems. 

Another aspect of the problem is that the behavior persists across windows and domains, which possibly may lead to cross-site scripting or other cross-site disruptions if the target page contains STYLE="" parameter (this is not considered a malicious parameter by many HTML filters).

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

This looks like a duplicate of bug 389685. What leads you to think that it's using "deallocated memory"?

Comment 2

[Michal Zalewski]

Indeed, that's the same problem, sorry. 

What leds me to believe this is the case is the fact that I get anything from most recent CSS syntax elements to seemingly random data displayed on Javascript error console, depending on the sequence of events. Still, as I mentioned, I had no opportunity to research this in much detail; perhaps there is a static buffer that gets populated with silly data at some point.