Closed Bug 32389 Opened 24 years ago Closed 24 years ago

Browser crashes upon encountering a recursive IFRAME inclusion.

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect, P3)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 8065

People

(Reporter: sacolcor, Assigned: pollmann)

Details

(Keywords: crash)

Attachments

(1 file)

A iframe src that points to itself.
263 bytes, text/html
Details 
View a page containing an IFRAME pointing to itself.  Watch browser go boom.
We need to guard both against direct and indirect (A includes B includes A) 
IFRAME recursion.  IE just displays blank space when it detects this condition.
Confirming.

When testing it crashed in nsWindow::Create but the real problem is that 
a recursive IFRAME is allowed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Petersen: Please provide a testcase. And, please confirm whether a fish has a 
soul.
Off to petersen for a testcase.
Assignee: rickg → petersen
So .. I had this reported in a XUL context (bug #33722), but the XUL
<html:iframe> is just a normal html iframe anyways, so I'm going to
make the other bug for the XUL usage depend on this one.

Here's a couple of test cases:

WARNING: the second test case completely horked win98 (even after 
mozilla was terminated, MB of memory was left allocated in the OS 
and I could no longer launch any new apps -- had to do a hard reset
of the system). 


TEST 1 : A->A->A ...
  c:\temp\file.html   

<html><body>
<p>hello</p>
<iframe src="file://C|/temp/file.xul" style='border: 1px solid red;'></iframe>
<p>goodbye</p>
</body></html>



TEST 2 : A->B->A ...
  c:\temp\file1.html  

<html><body>
<p>hello</p>
<iframe src="file://C|/temp/file2.html" style='border: 1px solid red;'></iframe>
<p>goodbye</p>
</body></html>

  c:\temp\file2.html

<html><body>
<p>hello</p>
<iframe src="file://C|/temp/file1.html" style='border: 1px solid 
blue;'></iframe>
<p>goodbye</p>
</body></html>


By the way, this can also be done for <frameset>/<frame>. See: 

  news://news.mozilla.org/37656AF6.38502494%40netscape.com
  news://news.mozilla.org/37657250.2E6876B1%40qlink.queensu.ca
  
(The URL discussed there is no longer functioning correctly, but the 
idea behind would be pretty easy to duplicate). 

If there isn't a bug for this now, then this should either be filed or 
dealt with as part of this bug. 


Oh, and I believe a fish has a soul, but I can't prove it.
Blocks: 33722
Reassigning back to rickg.
Assignee: petersen → rickg
Eric: I think you're mr frames, right? So this testcase doesn't blow up, and the 
content model looks reasonable. Can you confirm this?
Assignee: rickg → pollmann
This is already reported as bug 8065.  Thanks!

(FWIW, I don't believe that a fish has a soul.  But I can't prove it either.)


*** This bug has been marked as a duplicate of 8065 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Component: HTML Element → HTMLFrames
OS: Windows NT → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Marking verified dup of 8065.
Status: RESOLVED → VERIFIED
No longer blocks: 33722
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: