CSS parser uses uninitialized memory

RESOLVED DUPLICATE of bug 389685

Status

()

Core
CSS Parsing and Computation
RESOLVED DUPLICATE of bug 389685
11 years ago
11 years ago

People

(Reporter: Michal Zalewski, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
Hello again,

This is a pretty interesting bug, actually, although I had no time to analyze it in great detail...

If STYLE="" parameter is encountered when parsing a tag (or just any other STYLE value that is semantically empty, that is consists of whitespaces and comments alone), Firefox CSS parser will apparently attempt to utilize the contents of a previous, already deallocated buffer and interpret this as a syntax element instead.

See bug URL for demo.

Using (and possibly freeing again) deallocated memory is obviously bad for security, and may easily lead to serious problems. 

Another aspect of the problem is that the behavior persists across windows and domains, which possibly may lead to cross-site scripting or other cross-site disruptions if the target page contains STYLE="" parameter (this is not considered a malicious parameter by many HTML filters).
This looks like a duplicate of bug 389685. What leads you to think that it's using "deallocated memory"?
Component: Security → Style System (CSS)
Product: Firefox → Core
QA Contact: firefox → style-system
Version: 2.0 Branch → Trunk
(Reporter)

Comment 2

11 years ago
Indeed, that's the same problem, sorry. 

What leds me to believe this is the case is the fact that I get anything from most recent CSS syntax elements to seemingly random data displayed on Javascript error console, depending on the sequence of events. Still, as I mentioned, I had no opportunity to research this in much detail; perhaps there is a static buffer that gets populated with silly data at some point.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 389685
Group: security
You need to log in before you can comment on or make changes to this bug.