Closed
Bug 376862
Opened 18 years ago
Closed 13 years ago
firefox hangs (crashes?) when parsing bad xml for rss feeds
Categories
(Firefox Graveyard :: RSS Discovery and Preview, defect)
Firefox Graveyard
RSS Discovery and Preview
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 485941
People
(Reporter: poplix, Unassigned)
References
()
Details
(Keywords: crash, hang, Whiteboard: [sg:dos] recursion crash)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3
Build Identifier: Firefox 2.0.0.3
This issue may cause a denial of service due to an infinite recursion. The output of the following perl command can be used to trigger the bug:
print "<?xml version=\"1.0\"?><rss version=\"2.0\">" . ("<x>"x100000) . "\n"
Reproducible: Always
Steps to Reproduce:
1.redirect the outp of the following command to an xml file: print "<?xml version=\"1.0\"?><rss version=\"2.0\">" . ("<x>"x100000) . "\n"
2.open that file
3.have fun
Actual Results:
firefox crashed maybe due to an infinite recursion.
|
||
Comment 1•18 years ago
|
||
I'm testing a Firefox 1.8 branch build (2.0.0.4pre) on Mac. The provided snippet of code just results in an "XML Parsing Error: no element found" error. With a slightly modified testcase (see http://bug376862:bo^exvyh@gavinsharp.com/bug/376862/ for both files and their sources), I do see a hang while it attempts to parse the large document, but no crash. px, can you still reproduce the crash? If so, can you point to a working testcase?
|
||
Comment 2•18 years ago
|
||
In Firefox, I see a hang as well (though Safari does crash).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: firefox crashes when parsing bad xml for rss feeds → firefox hangs (crashes?) when parsing bad xml for rss feeds
|
|
||
Comment 3•18 years ago
|
||
Reporter's script crashes IE7 as well.
IE7 handle's Gavin's script ok. Safari throws its hands up.
i've tested it against firefox 2.0.0.3 and crashed. Probably i've made a mistake cuz i tested it against firefox 3.0a2pre.en and it crashed but today i've tried it against 3.0a4., that handles this script correctly, and after that 3.0a has handled it as well. So, probaly i got confused. sorry.
firefox 2.0.0.3 will crash with feed-reporter.pl only, feed.pl make it hang.
Safari issue has already been reported to apple who's currently working on fixing it.
I know this script makes IE7 crash only on winXP, on vista it's handled correctly. can you confirm this?? IE7 issue has not been reported to MS because i'm still investigating it.
-poplix
|
|
||
Comment 5•18 years ago
|
||
I'm not able to reproduce a crash, testing Firefox 2.0.0.3 with feed-reporter.pl on the Mac. Which OSs have you tested this on?
i've tested it on my powerbookG4
Machine Name: PowerBook G4 12"
Machine Model: PowerBook6,4
CPU Type: PowerPC G4 (1.1)
CPU Speed: 1.33 GHz
Memory: 512 MB
with macosx 10.4.9
probably you are not able to reproduce it cuz you machine is more powerfoul than mine (and maybe with a different arch) and the stack has a different behaviour. try to use this perl line to increment the number of tags
print "<?xml version=\"1.0\"?><rss version=\"2.0\">" . ("<x>"x900000) . "\n"
with this line i've succesfully crashed a firefox 2.0.0.3 on a
Modello computer: iMac4,1
Nome processore: Intel Core Duo
Velocità processore: 2 GHz
Numero di processori: 1
Numero totale di nuclei: 2
L2 Cache (per processore): 2 MB
Memoria: 1 GB
Velocità bus: 667 MHz
with macosx 10.4.8
on my pbookG4 with 900000 tags i made firefox 3.0.a4pre.en crash in about 30seconds
cheers
|
|
||
Comment 7•18 years ago
|
||
Ah, ok, I can reproduce the crash with feed-reporter-900000.pl (added to the above URL). Looks like stack overflow.
|
|
||
Comment 8•18 years ago
|
||
This crashed as I pressed the back button while the beach ball was spinning.
|
|
||
Updated•18 years ago
|
Attachment #261819 -
Attachment is patch: false
|
||
Comment 9•18 years ago
|
||
If you are not the right person to assign this to, please help us find someone that is.
Assignee: nobody → jonas
Whiteboard: [sg:low dos]
|
|
||
Comment 10•18 years ago
|
||
(In reply to comment #9)
> If you are not the right person to assign this to, please help us find someone
> that is.
>
No, I'll take this. Sorry for the delay.
Assignee: jonas → sayrer
|
||
Updated•18 years ago
|
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:low dos] → [sg:dos] recursion crash
|
|
||
Comment 11•13 years ago
|
||
Gavin: is this still a problem? If not please resolve "worksforme" (I wasn't able to reproduce in a quick check, but didn't dig and you seem to have a bunch of testcases).
Assignee: sayrer → gavin.sharp
Group: core-security
|
|
||
Comment 12•13 years ago
|
||
Only remaining issue that I see looks like a dupe of bug 485941.
Assignee: gavin.sharp → nobody
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•