Nested XSL can crash tab
Categories
(Core :: XSLT, defect)
Tracking
()
People
(Reporter: hanno, Unassigned)
Details
Attachments
(2 files)
A deeply nested XSL stylesheet can crash a firefox tab.
I've attached a python script that creates xsl files including each other. 0.xsl includes 1.xsl, 1.xsl includes 2.xsl, etc.
This can crash a firefox tab with a stack overflow.
To reproduce:
- Run makexslnested python script attached to this bug.
- Place all the generated files in a dir on a web server (does not work locally due to same origin protection).
- Point firefox to start.xml
- Wait a few minutes (crash happens after around 30,000 nested files)
XSL nesting should probably have a depth limit. (FWIW: The xsltproc tool from libxslt stops after a depth of 40.)
Crash report from ASAN build (will attach full stack trace):
`[...]
#245 0x7f41618f419c in txStylesheetCompiler::loadURI(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ReferrerPolicy, txStylesheetCompiler*) /builds/worker/checkouts/gecko/dom/xslt/xslt/txStylesheetCompiler.cpp:370:33
#246 0x7f41618f419c in txStylesheetCompiler::loadURI(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ReferrerPolicy, txStylesheetCompiler*) /builds/worker/checkouts/gecko/dom/xslt/xslt/txStylesheetCompiler.cpp:370:33
#247 0x7f41618f419c in txStylesheetCompiler::loadURI(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ReferrerPolicy, txStylesheetCompiler*) /builds/worker/checkouts/gecko/dom/xslt/xslt/txStylesheetCompiler.cpp:370:33
SUMMARY: AddressSanitizer: stack-overflow /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:99:10 in corrected_sendmsg
`
|
Reporter | |
Comment 1•22 days ago
|
||
|
||
Updated•21 days ago
|
|
|
||
Comment 2•20 days ago
|
||
Resource exhaustion crashes in content processes don't really need to be hidden.
|
|
||
Updated•20 days ago
|
Description
•