246516 - invalid https data causes crash / freeze

Status: RESOLVED INVALID

(Core :: Networking: HTTP, defect)

Description

[Ryan Power]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040608 Firefox/0.8.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040608 Firefox/0.8.0+

The form code at www.nekobox.org causes FireFox to crash. I have attached the
problem html code in the additional information section of this bug report.

Windows reports the error as follows:
Application popup: firefox.exe - Application Error : The instruction at
"0x00481b49" referenced memory at "0x00000044". The memory could not be "read".

I was unable to reproduce the crash in Mozilla.

It appears to be related to the <input type="image"... tag; if it is removed the
crash stops occuring.

Reproducible: Always
Steps to Reproduce:
1.  Open a page that contains that code, or try to access www.nekobox.org
2.  FireFox will crash while trying to load the image within the PayPal donation
form.

Actual Results:  
Access Violation

Expected Results:  
A normally rendered webpage was expected

<TABLE cellSpacing=0 cellPadding=0 width=720 border=0>
  <TBODY>
  <TR vAlign=top>
    <TD>
      <TABLE cellSpacing=0 cellPadding=0 border=0>
        <TBODY>
        <TR>
          <TD width=170 bgColor="#fff2b5"><BR></TD></TR>
        <TR vAlign=top>
          <TD vAlign=top>
            <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
              <TBODY>
              <TR vAlign=top>
                <TD vAlign=top width=150>
                  <CENTER><BR><B>Hosted Sites</B></CENTER>

                  <HR align=center width=130 noShade SIZE=1>
                  <TABLE cellSpacing=0 cellPadding=0 width=130 align=center
                  border=0>
                    <TBODY>
                    <TR vAlign=top>
                      <TD vAlign=top align=center noWrap width=130>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="image" src="https://www.paypal.com/images/x-click-but04.gif"
border="0" name="submit" alt="Make payments with PayPal - it's fast, free and
secure!">
</form>
</TD></TR></TBODY></TABLE>

Comment 1

[Ryan Power]

A crash also occurs at http://www.lostcircuits.com.

On closer inspection, it appears that the crash is due to the form code and that
it is unaffected by tables.

Comment 2

[Olivier Cahagne]

can you post a Talkback ID using Firefox 0.9rc (or eventually Mozilla 1.7rc3) ?

Comment 3

[Ryan Power]

Attachment: Feedback Agent Details

Here is the details log from the feedback agent.  I suspect the problem
actually lies with the proxy server we're using... I suspect that it is
returning something similar to what I've posted below instead of a gif image.

It only seems to effect https connections, however.

<HTML>
<HEAD>
<TITLE>SurfControl - Access Denied</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#FFFFFF" LINK="#0000FF" VLINK="#FF0000">
<center>
<table border="4" bgcolor="#0000D0" width="50%" cellpadding="6">
<tr>
<td nowrap align="center">
<font size="6"><b>SurfControl</b></font>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" nowrap>
&nbsp;
<h1 align="center"><font color="#FF0000">Access Denied</font></h1>
<p align="center"><font color="#000000">Access to the requested URL has been
denied
<br><br><font size="4"><b>Shopping Content</b></font></p><br>
</td>
</tr>
</table>
</center>
</BODY>
</HTML>

Comment 4

[Olivier Cahagne]

can you run "mozilla\components\talkback.exe" and mention the Talkback Incident
ID associated to the crash ?

Comment 5

[Ryan Power]

Due to the aforementioned proxy, I can't actually submit a talkback report.  I
can copy a data file out of the directory, but thats about it.

The talkback program dosen't seem to support NTLM authentication.

Comment 6

[Olivier Cahagne]

without stacktrace, maybe you can try to attach a minimized crashing HTML
testcase and hope that others will be able to crash and post a stack.

Comment 7

[Ryan Power]

A stack trace appears to have been included in the information I saved from the
talkback application... (see the Feedback Agent Details attachment).

Is this missing the information you're looking for?

Comment 8

[Olivier Cahagne]

it's missing the Talkback Incident ID, as is, the Talkback details are
unfortunately useless.

Comment 9

[timeless]

you could try to attach a zip containing the talkback data files
<%appdata%\taklback\mozillaorg\mozillatrunk\win32\>

Comment 10

[Ryan Power]

Attachment: Talkback.zip

Here it is.

Comment 11

[Michael Austin]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) 
Gecko/20040206 Firefox/0.8
WindowsXP (Home Edition Service Pack 1)

The <input type=image src="/somepaypalurl/.gif"> does not crash the browser, but
just does not display the button.

See http://www.firstdbasource.com/button_bug.html for sources.

Michael Austin.

Comment 12

[Ryan Power]

Ok... got some more information.

It looks like it isn't an image problem, or a form problem, but a problem within
https itself.  I've been able to confirm this on normal, imageless, https
connections.  I have changed the summary accordingly.

The problem still exists in 0.9.2.

I've traced the connection though the proxy, and attached it below.  This is
reproducible and freezes, but does not crash the browser.  The task must be
ended manually before it will respond again.
S: Sent from browser
R: Responce from proxy

S --> CONNECT www.amazon.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Gecko/20040707 Firefox/0.9.2
Proxy-Connection: keep-alive
Host: www.amazon.com


R --> HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is denied.  )
Via:1.1 RIV-ISASURFP1
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="isasurf"
Proxy-Authenticate: Kerberos
Proxy-Authenticate: Negotiate
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 3779  

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE>

... a bunch of stuff saying that the page cannot be displayed ...

</HTML>

S --> CONNECT www.amazon.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Gecko/20040707 Firefox/0.9.2
Proxy-Connection: keep-alive
Host: www.amazon.com
Proxy-Authorization: NTLM <NTLM PASSWORD INFORMATION>


R --> HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via:1.1 ISASURF
Proxy-Authenticate: NTLM <NTLM PASSWORD INFORMATION>
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0     


S --> CONNECT www.amazon.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Gecko/20040707 Firefox/0.9.2
Proxy-Connection: keep-alive
Host: www.amazon.com
Proxy-Authorization: NTLM <NTLM PASSWORD INFORMATION>

R --> <HTML>
<HEAD>
<TITLE>SurfControl - Access Denied</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#FFFFFF" LINK="#0000FF" VLINK="#FF0000">
<center>
<table border="4" bgcolor="#0000D0" width="50%" cellpadding="6">
<tr>
<td nowrap align="center">
<font size="6"><b>SurfControl</b></font>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" nowrap>
&nbsp;
<h1 align="center"><font color="#FF0000">Access Denied</font></h1>
<p align="center"><font color="#000000">Access to the requested URL has been denied
<br><br><font size="4"><b>Shopping Content</b></font></p><br>
</td>
</tr>
</table>
</center>
</BODY>
</HTML> 
<-- SOCKET CLOSED

Comment 13

[Ryan Power]

Changed Component from Layout to Networking.

Quick note: it looks like the proxy is NOT sending a HTTP/1.1 status line back
on the error page.  Could this be the problem?

Comment 14

[Ryan Power]

I cannot get the reassign function to work on Bugzilla
(http://www.mozilla.org/quality/help/bugzilla-privilege-guide.html#reassigning),
and since this isn't a forms problem as I originally thought, I am going to
close this bug.