1504510 - Firefox is being crashed, everytime it find chunked stream ending with zero and sending data after that also

Status: RESOLVED DUPLICATE of bug 1504512

(Firefox :: Untriaged, defect)

Description

[SAIKUMAR]

Attachment: This file contains http response, which can make firefox crash

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

Firefox is being crashed, when it tried to process the chunked data. when Transfer-Encoding header is used, we suppose to send the data in the chunks form. When all the chunks being transferred, we need to tell the client with chunk length zero. so that it understands chunked stream completed. 

But if we send the data after sending zero length, then firefox not able to understand it, and it being crashed.

Example:

5
Don't
5
be af
5
firef
5
ox is
0      
crash(after saying it is end, we still sending some data)    
\r\n


 ---->here we are saying no chunked data after this.so that it should end with         \r\n. But we  are sending some data after this also. Like

steps to reproduce the crash
1)download the firefoxcrash.txt
2)nc -lp 8000 < firefoxcrash.txt
3)browe the url from firefox like 
http://localhost:8000
4)then close the netcat client. then you will obserev the firefox crash.


Actual results:

Mozilla firefox is unable to process the invalid chunk end length. It is being crashed every time when invalid chunk end length comes.




Expected results:

It should have not process the payload or it should raise an error instead of crashing.