Closed Bug 303960 Opened 19 years ago Closed 19 years ago

Recursive frames cause infinite loop

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jasonhoover, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6

An HTML frameset, calling an HTML page with a frameset, calling the first HTML
page can cause an infinite loop when the frameset attribute frameborder is 0, or
false.

The URL provided demonstrates this.

Reproducible: Always

Steps to Reproduce:
The code is very simple, you have two files:

==jerk.html==
<html>
<head>
<title>I'm a jerk.</title>
</head>
<frameset rows="*,*" cols="*,*" frameborder=0>
	<frame name="spam" src="jerk2.html">
	<frame name="eggs" src="jerk2.html">
	<frame name="bacon" src="jerk2.html">
	<frame name="spam" src="jerk2.html">
</frameset>
</html>

==jerk2.html==
<html>
<head>
<title>I'm a jerk.</title>
</head>
<frameset rows="*,*" cols="*,*" frameborder=0>
	<frame name="eggs" src="jerk.html">
	<frame name="spam" src="jerk.html">
	<frame name="spam" src="jerk.html">
	<frame name="spam" src="jerk.html">
</frameset>
</html>

Actual Results:  
Firefoo/Mozilla goes into an infinite loop until it either runs out of memory or
locks up.

Expected Results:  
There should be a per-window limit on frame depth, instead of per-page.

But I have no idea how the internals work.
It's very easy to create a DoS with this, but not much harder than any other bug
I see.

I'm sorry if this bug is unhelpful/duplicate, but it seems to exist, and I
couldn't find any other ones with a good description similar to this problem.

If it's a dupe, sorry for wasting your time.

Filing this as critical since it's an easy crasher.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050808 Firefox/1.0+
ID:2005080814

Works for me. Do you see this in the latest builds?
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
Your right. Tried this on deer park 2 on my windows box. It seems fine.

If it pops up in 1.5 on this system, should I just add a comment to this bug?
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.