firefox denial-of-service triggered by infinitely long page title
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: pho.sco.glass, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-dos, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Firefox Broswer version 102.2.1 on Android 12
I am able to cause firefox to crash using the following code:
test.php -------
<!doctype html>
<html>
<head>
<title><?php for(;;){echo "a";}
|
||
Comment 1•2 years ago
|
||
--> Fenix for initial triage, given this was reported as a mobile bug.
|
||
Comment 2•2 years ago
|
||
This file looks incomplete, there is no closing php tag. The file looks to create an infinitely long title. This looks like a variation of bug 432687
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
This file looks incomplete, there is no closing php tag.
The closing tag at the end of a PHP file is optional.
|
||
Comment 4•2 years ago
|
||
I tested this and reproduced on both Desktop and Android, which both become unresponsive and eventually crash. Ideally, a fix here shouldn't be mobile specific.
|
||
Comment 5•2 years ago
|
||
The severity field is not set for this bug.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•1 year ago
|
|
||
Comment 6•1 year ago
|
||
Interestingly, on desktop this manages to crash the parent due to a too large IPC message. Let's start by addressing that, since it's arguably more severe than a content process reaching an nsString length limit or similar.
https://crash-stats.mozilla.org/report/index/3f5a8c49-46bc-40ff-92c7-cb3d60221124
|
|
||
Comment 7•1 year ago
|
||
The severity field is not set for this bug.
:gw, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•1 year ago
|
|
||
Comment 8•1 year ago
|
||
From the crash stack this looks like it could be another instance of bug 1772994.
|
|
||
Updated•22 days ago
|
Description
•