Created attachment 266803 [details]
test case for mutation events in scrollable frame
Using DOM mutation events it is possible to trash the UI so that the browser is unresponsive. See related bug 382568 and bug 355548 for more related test cases.
I get 100% cpu on trunk also. You mean that shouldn't happen?
if the UI is still responsive, then it is not so bad. On branches the UI stop working, and that is equivalent to "denial of service".
Oh, indeed, the UI gets unresponsive on trunk too.
On linux (trunk/1.8) I get endless loop of JS's "too much recursion"s
(which as such isn't Security-Sensitive, IMO).
bug 382568 and bug 355548 are crashers.
IMO, it is security sensitive because it suggests a pattern to exploit things in a way similar to those.
Should we file a metabug or whatever to keep these guys together?
Created attachment 267625 [details]
a (better) testcase for mutation events in scrollable frame
Ok, this testcase does crash 1.8 and 1.8.0 on MacOS for me it was just a matter of skipping a couple of legitimate mutation events and doing nasty stuff on the vulnerable one.
Crashes on Linux too. Severity elevated, title adjusted...
Created attachment 267939 [details] [diff] [review]
Just don't propagate any mutation events from native anonymous content.
IsAnonymousForEvents() is needed because XUL has its own implementation
This fixes also Bug 382568.
attachment 267939 [details] [diff] [review] fixes also bug 382700.
Note, I didn't change nsGenericDOMDataNode::HandleDOMEvent to
check nativeness, because it doesn't implement SetNativeAnonymous
properly and native anon text nodes are AFAIK always inside native
(This all ofc works properly on trunk.)
Comment on attachment 267939 [details] [diff] [review]
approved for 18.104.22.168 and 22.214.171.124, a=dveditz for release-drivers
Checked in to branches
Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199pre) Gecko/20070810 Firefox/188.8.131.52pre
Fx15012 crashed but Fx15013pre did not.