2019102 - CSS @container/@supports/@scope/@media nesting causes content process stack overflow

Status: RESOLVED DUPLICATE of bug 1973126

(Core :: CSS Parsing and Computation, defect)

Description

[Nathaniel Oh]

Attachment: poc.html

Description

Deeply nested CSS at-rules (@container, @supports, @scope, @media) crash the content process via stack overflow in the query condition parser. No user interaction required — visiting a page with the malicious CSS is sufficient.

Steps to reproduce:

1. Save attached poc.html to disk
2. Open in Firefox: firefox --no-remote poc.html
3. Tab crashes: "Gah. Your tab just crashed."

ASan output (mozilla-central, macOS 26.3, aarch64):

==67256==ERROR: AddressSanitizer: stack-overflow on address 0x00016b2d3ba0
    #0 cssparser::parser::Delimiters::from_byte
    #1 style::queries::condition::QueryCondition::parse_in_parenthesis_block
    #2 style::queries::feature_expression::QueryFeatureExpression::parse_in_parenthesis_block
    #3 style::queries::condition::QueryCondition::parse_in_parenthesis_block
    ... (cycle repeats 100+ times)
SUMMARY: AddressSanitizer: stack-overflow in Delimiters::from_byte

Root cause: QueryCondition::parse_in_parenthesis_block() in servo/components/style/queries/condition.rs parses condition expressions for at-rules. Nested at-rules cause the generic CSS rule parser to recurse back into the query condition parser with no depth limit. Input like @container (min-width: 0px) { @container (min-width: 0px) { ... } } recurses until stack exhaustion. All four at-rules (@container, @supports, @scope, @media) share this parser and are affected.

Suggested fix: Add a depth counter to QueryCondition::parse_in_parenthesis_block() with a limit of 32.

Severity: sec-high — reliable zero-click content process crash. Affects all Firefox versions using Stylo (57+ for @media/@supports, 110+ for @container), all platforms.

URL

(n/a — local HTML file)