Closed Bug 239840 (CVE-2006-2723) Opened 21 years ago Closed 4 years ago

hang when many nested <marquee> tags are used. exponential time increase

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: nomel, Unassigned)

References

(
URL
)

Details

(Keywords: hang, Whiteboard: [sg:dos])

Attachments

(2 files)

Attached testcase
2.84 KB, text/html
Details
BugTraq Testcase
1.42 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031208
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031208

A clickable example with a time vs #of <dl> tags graph is located at
http://broken.pc.cz/index.html. The actual html that causes the hang is at
http://broken.pc.cz/test.htm (carefull!). Hang seems to be extremely slow
rendering. This DOES effects Mozilla, Firefox, and Safari. DOES NOT effect Opera
and IE. All others are untested. 

Reproducible: Always
Steps to Reproduce:
1.Open html with hang code.
Actual Results:  
Hang. It does resume after certain amount of time. This time can be extended
into years though.

Expected Results:  
Not rendered the page correctly to keep from having problems, or rendered
marquee without indentation from <dl>, or displayed a warning.

All times on graph at http://broken.pc.cz/index.html were for a 1Ghz PIII.
confirmed
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040402
Firefox/0.8.0+
Version: Trunk → 1.4 Branch
Attached file Attached testcase 
Same testcase as mentioned before.

It hangs on my computer too, but when I have javascript turned off, it doesn't
hang.
I see this also in Mozilla1.7RC2
with a recent moz cvs trunk build all I see Javascript errors about too much
recursion, no "hang". fixed?
ok spoke too soon, will investigate
Status: UNCONFIRMED → NEW
Ever confirmed: true
a slightly different testcase from bug 265027
https://bugzilla.mozilla.org/attachment.cgi?id=162508&action=view

no <dl>s just <marquee>s with huge height attributes.
Product: Browser → Seamonkey
I split the marquee hang from comment 6 into bug 288931 as it is very different
Assignee: general → nobody
Component: General → Layout
Product: Mozilla Application Suite → Core
QA Contact: general → layout
Version: 1.4 Branch → Trunk
Ok, with current trunk build it doesn't hang anymore, it's just slow.
With Mozilla1.7, I hang, so something has definetely improved since then.
This is still an issue, confirmed with Firefox 1.5.0.3.  Also, this issue has been posted to BugTraq (which is where I learned of it), so visibility is likely to soon rise.

A fix would really be a good thing.
Confirmed with Bon Echo using BugTraq example.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060530 BonEcho/2.0a3
Attached file BugTraq Testcase 
Should have attached this to my last post.
Confirmed using testcase on WinXP SP1 w/ FF 1.5.0.3. I saw this on BugTraq, also. I'm surprised this hasn't been fixed yet...
*** Bug 339954 has been marked as a duplicate of this bug. ***
Whiteboard: [sg:low dos]
Using BugTraq test case.

Confirmed in:

Firefox Current Release -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Mozilla Latest Nightly - 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702

WFM in:

Firefox Latest Trunk Nightly - 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060601 Minefield/3.0a1

Seems to be fixed in the trunk.
Confirmed for me in 1.5.0.4, WinXP/SP1.
fixing up title for searching (added nested, de-emphasizing DL tags), indicating relation to Bug #339954 .

Original title: "hang when many <dl> and <marquee> tags are used. exponential time increase depending on number of <dl> tags.."

New title: "hang when many nested <marquee> tags are used. exponential time increase"
Summary: hang when many <dl> and <marquee> tags are used. exponential time increase depending on number of <dl> tags.. → hang when many nested <marquee> tags are used. exponential time increase
*** Bug 339954 has been marked as a duplicate of this bug. ***
Dup of bug 277208?  (Which is fixed on trunk, btw)
Keywords: hang
Can confirm that the first Attached testcase still hangs 2.0.

David
Was there anything in this bug to make you think it was fixed for 2.0?
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
(In reply to comment #18)
> Dup of bug 277208?  (Which is fixed on trunk, btw)
> 

Definitely not. Testcase still kills the trunk.
Depends on: 363722
(In reply to comment #21)
> Definitely not. Testcase still kills the trunk.

Oops, yes, it is now crashing current trunk builds, this is something new, I filed bug 363722 for it. This bug is for the hanging issue (which may return after bug 363722 gets fixed).
This seems to have been assigned a CVE, though not specific to firefox: CVE-2006-6954
There are another example (exploit) on the following link 

http://milw0rm.com/exploits/3606

The marquee tags are placed before the head tag.
... and earlier http://milw0rm.com/exploits/1867

CVE-2006-2723 is more appropriate, -6954 seems to be the Flock variant of the same thing.
Alias: CVE-2006-2723
Blocks: 339954
It still happens quite frequently for me when opening certain myspace.com profiles. (with v2.0.0.11)
Thanks for the report, but please consider the Bugzilla etiquette guidelines before posting more "me too" comments in the future so that developers can more easily see the relevant information in a bug and so that people CCed to a bug (like myself) aren't needlessly spammed.
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Blocks: 338474
Whiteboard: [sg:low dos] → [sg:dos]
See Also: → https://launchpad.net/bugs/47751

This doesn't happen with our new Marquee implementation.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME

This was fixed via bug 1425874.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: