Mozilla crashes upon loading encoded text

RESOLVED FIXED in mozilla1.3beta

Status

()

P2
critical
RESOLVED FIXED
16 years ago
16 years ago

People

(Reporter: raccettura, Assigned: harishd)

Tracking

({hang})

Trunk
mozilla1.3beta
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fix in hand], URL)

Attachments

(1 attachment, 1 obsolete attachment)

781 bytes, patch
hjtoi-bugzilla
: review+
Details | Diff | Splinter Review
(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

I wask working on a php script when I found out that the following string loaded
by mozilla results in a crash (when not surrounded by any HTML).

An example is the link I made.  The script outputs ONLY the text below.
&#114:&#111:&#098:&#101:&#114:&#116:&#

Reproducible: Always

Steps to Reproduce:
1.  Load URL

Actual Results:  
Mozilla hung.  It took my system (Thinkpad 1.8GHz P4 w/512MB RAM) about 4
minutes to get the Task Manager open.  Despite it didn't render completely, I
was able to see that the Available system memory dropped down to 4000k, and the
Paging file was off the chart.  CPU wasn't to bad.  But my hard drive was
burning.  My guess is there is a memory leak or something.

Expected Results:  
Should have displayed output without stress.
confirming with todays win2k trunk build :
NTDLL! 778cbc99()
NTDLL! 778cbd4e()
NTDLL! 778cbbb3()
_heap_alloc_base(unsigned int 4912) line 200
_heap_alloc_dbg(unsigned int 4871, int 1, const char * 0x00000000, int 0) line
378 + 9 bytes
_nh_malloc_dbg(unsigned int 4871, int 0, int 1, const char * 0x00000000, int 0)
line 248 + 21 bytes
malloc(unsigned int 4871) line 130 + 21 bytes
PR_Malloc(unsigned int 4871) line 474 + 10 bytes
PL_ArenaAllocate(PLArenaPool * 0x03b9865c, unsigned int 40) line 210 + 10 bytes
nsFixedSizeAllocator::Alloc(unsigned int 40) line 128 + 73 bytes
CToken::operator new(unsigned int 40, nsFixedSizeAllocator & {...}) line 128
nsTokenAllocator::CreateTokenOfType(eHTMLTokenTypes eToken_entity, nsHTMLTag
eHTMLTag_entity) line 1362 + 14 bytes
nsHTMLTokenizer::ConsumeEntity(unsigned short 38, CToken * & 0x00000000,
nsScanner & {...}) line 846 + 15 bytes
nsHTMLTokenizer::ConsumeToken(nsHTMLTokenizer * const 0x03baac58, nsScanner &
{...}, int & 0) line 504 + 24 bytes
nsParser::Tokenize(int 1) line 2545 + 26 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 1772 + 31 bytes
nsParser::OnStopRequest(nsParser * const 0x03b98634, nsIRequest * 0x039cce48,
nsISupports * 0x00000000, unsigned int 0) line 2453 + 21 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03aaac50,
nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 257
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03a84048,
nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x039cce4c, nsIRequest *
0x03aab5ac, nsISupports * 0x00000000, unsigned int 0) line 3020
nsOnStopRequestEvent::HandleEvent() line 213
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03ba4edc) line 116
PL_HandleEvent(PLEvent * 0x03ba4edc) line 663 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ea6410) line 593 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x002e03aa, unsigned int 49372, unsigned int 0,
long 15361040) line 1379 + 9 bytes
USER32! 77e2a290()
USER32! 77e045b1()
USER32! 77e0a752()
nsAppShellService::Run(nsAppShellService * const 0x00f70f78) line 472
main1(int 2, char * * 0x00276ac8, nsISupports * 0x00276b40) line 1543 + 32 bytes
main(int 2, char * * 0x00276ac8) line 1904 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e8ca90()
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
(Reporter)

Comment 2

16 years ago
Should also note bug 188366
(Assignee)

Comment 3

16 years ago
Created attachment 111089 [details] [diff] [review]
patch v1.0

Prevent the crash/hang by consuming the entity-look-alike ( &# )as text. That
is, what we initially thought of as an entity is not really an entity and hence
by returning the result NS_HTMLTOKENS_NOT_AN_ENTITY we consume the markup as
text.
(Assignee)

Updated

16 years ago
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [fix in hand]
Target Milestone: --- → mozilla1.3beta
(Assignee)

Updated

16 years ago
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
(Assignee)

Comment 4

16 years ago
Created attachment 111090 [details] [diff] [review]
patch v1.1

Addressing reviewer's concern.
(Assignee)

Updated

16 years ago
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
(Assignee)

Updated

16 years ago
Attachment #111090 - Flags: superreview?(jst)
Attachment #111090 - Flags: review?(heikki)
(Assignee)

Updated

16 years ago
Attachment #111089 - Attachment is obsolete: true
Attachment #111090 - Flags: review?(heikki) → review+
Comment on attachment 111090 [details] [diff] [review]
patch v1.1

sr=jst
Attachment #111090 - Flags: superreview?(jst) → superreview+
(Assignee)

Comment 6

16 years ago
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.