Crash the Firefox by passing huge string as an argument to a method DOMParser.parseFromString API
Categories
(Core :: XML, defect)
Tracking
()
People
(Reporter: tejasajaynaik1996, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Steps to reproduce:
Steps to execute:
Open a test.html and move the cursor on click button and you will end up with a crash
Inside my test.html:
I have written a Javascript inside HTML code. In that script, I created an object of DOMParser
then I triggered the DOMParser.parseFromString method and pass a huge string of open tags(without closing)as an argument.
Successfully tested on
operating system: Windows 10 x64, Linux x64 (Ubuntu 18.04)
Firefox version : 67.0.4
Actual results:
After writing such a script, It was found that the tab gets crashed may be due to Stack Overflow.
|
Reporter | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Can you take a look at this, Jason?
|
||
Updated•6 years ago
|
|
|
||
Comment 2•6 years ago
|
||
This looks like a familiar stack trace but I can't seem to find a matching bug for it.
==27149==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe2f0d0ff8 (pc 0x7fb1982eb3de bp 0x7ffe2f0d10b0 sp 0x7ffe2f0d1000 T0)
#0 0x7fb1982eb3dd in HasFlag /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:270:14
#1 0x7fb1982eb3dd in HasProperties /builds/worker/workspace/build/src/dom/base/nsINode.h:848
#2 0x7fb1982eb3dd in nsINode::GetProperty(nsAtom const*, nsresult*) const /builds/worker/workspace/build/src/dom/base/nsINode.cpp:169
#3 0x7fb19dc4c32e in GetPseudoElementType /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1086:16
#4 0x7fb19dc4c32e in nsXMLElement::UnbindFromTree(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLElement.cpp:30
#5 0x7fb197fa2d87 in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:1964:12
...truncated...
#249 0x7fb197fa2d87 in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:1964:12
#250 0x7fb19dc4c3c7 in nsXMLElement::UnbindFromTree(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLElement.cpp:48:12
SUMMARY: AddressSanitizer: stack-overflow /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:270:14 in HasFlag
|
|
||
Comment 3•6 years ago
|
||
Simplified testcase.
|
|
||
Comment 4•6 years ago
|
||
This seems to be due to a recent change. Bisected to:
Start: 0679bf09303e001b724bb4852237277697824287 (20190611094001)
End: ee33e076cbcbe786125f83079bd8e5b43bb73a99 (20190611213319)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0679bf09303e001b724bb4852237277697824287&tochange=ee33e076cbcbe786125f83079bd8e5b43bb73a99
Emilio, could this be related to your changes in bug 1555133?
|
||
Comment 5•6 years ago
|
||
Seems unlikely.
The original test-case reproduces with Firefox 60. That patch only landed in 69, and the reporter says their test-case works on 67 (which is true).
Boris, we don't seem to be limiting the DOM depth of the XML parser. HTML does have a limit, are you familiar with why XML doesn't / whether it should have one?
|
||
Comment 6•6 years ago
|
||
There's been on and off discussion about that; mostly it needs someone to make a decision. I don't think this is a security issue apart from being DoS (this is "ran out of stack", not "write past the end of stack", which is a safe crash). Notably, bug 485941 is public and has been for over 10 years.
|
||
Updated•6 years ago
|
|
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 7•6 years ago
|
||
Please do not put back the security group.
Description
•