Closed Bug 2018434 Opened 2 months ago Closed 2 months ago

stack overflow in CSSUnparsedValue

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 150
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1973126

People

(Reporter: happyercat, Unassigned)

Details

Attachments

(2 files)

poc.html
508 bytes, text/html
Details
asan.txt
142.40 KB, text/plain
Details
Attached file poc.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15

Steps to reproduce:

Run the poc.html on the firefox to reproduce the ASAN crash

Actual results:

Crash with stack-overflow, see asan.txt for detail

Expected results:

NO ASAN CRASH

Attached file asan.txt
Group: firefox-core-security → layout-core-security
Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core

A stack overflow is a content process DOS but not sure I'd qualify as a security bug. In general we don't protect about stack overflows on css parsing just like we don't protect against an OOM if you send us a really massive stylesheet.

ASAN builds also take a lot more stack space.

Let me know if I'm missing something tho. Also I'm confused, there's no CSSUnparsedValue anywhere in the ASAN report? That's a TypedOM thing.

Flags: needinfo?(happyercat)

Yes, a stack overflow is different from an out of bounds access to the stack.

Summary: OOB in CSSUnparsedValue → stack overflow in CSSUnparsedValue

Yeah I agree stack-overflow isn't a security issue. Free free to close it. Many thanks!

Flags: needinfo?(happyercat)
Group: layout-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Duplicate of bug: css-nesting-limit
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: