recursive document.write prevents browser from shutting down completely

NEW
Unassigned

Status

()

Core
DOM: Core & HTML
--
critical
15 years ago
8 years ago

People

(Reporter: Tim Barber, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126

Scripts like this one run indefinitely, locking up mozilla and leaving a phantom
process on XP:

<html><script>
d=document; j=0;
x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>';
d.write(x);
</script></html>



Reproducible: Always

Steps to Reproduce:
Try this script, with or without alert.  Similar effects can be created by
abusing eval or setTimeout.

<html><script>
d=document; j=0;
x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>';
d.write(x);
</script></html>


Actual Results:  
Browser lockup.  Phantom process running after browser closed.  Likely buffer
overflow.

Expected Results:  
Ideally Mozilla would "kill the children" at some level.  It looks like IE
ignores dynamically generated scripts at the 4th generation.  Note that similar
rescrictions are needed to prevent mischief with eval and setTimeout.

Comment 1

15 years ago
Not a JS Engine issue; JS Engine contains no browser objects
such as |document| nor HTML nodes such as <script>.

This could be assigned either to DOM or to Security:General.
Sending to DOM for further triage.

Note this is the DOM equivalent of the Layout bug 136580,
"Catch recursive content much sooner"

Perhaps there is already a DOM bug on file for this issue, 
but I couldn't find it -
Assignee: rogerl → jst
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → DOM Level 0
Ever confirmed: true
QA Contact: pschwartau → desale

Updated

15 years ago
Summary: Scripts that write scripts can cause buffer overflow. → recursive document.write prevents browser from shutting down completely
I can't reproduce this on CVS build on Linux.

The scripts stops on j=997 and Mozilla is functioning as expected and can be
closed fine.
Only 1.2 or windows issue?
I've seen this before - it causes an infinite recursion, but I've seen no
evidence that it's an exploitable buffer overrun.
Is there any explanation why this does not work on Linux?
Mass-reassigning bugs to dom_bugs@netscape.com
Assignee: jst → dom_bugs

Comment 6

15 years ago
*** Bug 214198 has been marked as a duplicate of this bug. ***

Comment 7

10 years ago
Created attachment 285864 [details]
testcase

fixed by bug 197052 ?

Comment 8

10 years ago
(In reply to comment #7)
> Created an attachment (id=285864) [details]
> testcase
> 
> fixed by bug 197052 ?

needs verification - reporter is gone
Assignee: general → nobody
QA Contact: desale → general
You need to log in before you can comment on or make changes to this bug.