Closed Bug 454434 Opened 14 years ago Closed 1 year ago

hang with lots of nested <marquee>s


(Core :: Layout, defect)

Windows XP
Not set





(Reporter: mustlive, Unassigned)




(Keywords: hang, Whiteboard: [sg:dos])


(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: This is UA of my favorite Mozilla 1.7.x :-)

When I wrote to Mozilla in October 2007 by email (as do everyday when informing web developers and admins of sites about vulnerabilities) about hole in Mozilla (old) and Firefox (old and new 2.0) my letter was ignored and hole not fixed. So for this hole, which I found recently, I decided in addition to sending of email, also write to bugzilla. Here is text of my letter.

Hello Mozilla!

I want to warn you about Denial of Service vulnerability in Mozilla Firefox.
With this exploit browser takes 100% of CPU and freeze (while overloading computer).
Vulnerable version is Mozilla Firefox 3.0.1 and previous versions. I tested it in Mozilla Firefox 3.0.1 and in one old version of Firefox, so it's possible that all versions of Firefox are vulnerable (as also other browsers on Mozilla's Gecko engine).
I mentioned about this vulnerability at my site ( This vulnerability is similar to DoS hole in Google Chrome ( which I wrote about on last week.
Best wishes & regards,
Administrator of Websecurity web site

Reproducible: Always

Steps to Reproduce:
1. Run my exploit (
Actual Results:  
Browser takes 100% of CPU and freezes.

Expected Results:  
Not taking 100% of CPU and not freezes.
If you've published details of this on your site, there's no need for it to be security-sensitive.
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Summary: DoS vulnerability in Mozilla Firefox → hang with lots of nested <marquee>s
I filed bug 454465 for the fact that the testcase is crashing in current trunk build again.

I think this bug as filed is basically a duplicate of bug 239840.
"One-time DoS" bugs in web browsers, such as hangs, are not considered security holes.
Group: core-security
Keywords: hang
Hello Mozilla!

Recently, 19.09.2008, I made my new project <a href="">Day of bugs in browsers</a>. Where I published many vulnerabilities in different browsers. To remember browsers developers to attend to security of their applications.

Here are the list of holes:

DoS vulnerabilities in Firefox, Internet Explorer and Opera (
DoS vulnerabilities in Firefox, Internet Explorer, Opera and Chrome (
DoS vulnerabilities in Firefox, Opera and Chrome (

I'll wrote details (in English) of these holes to Mozilla by email soon. Hope Mozilla will receive, respond and fix these holes (as Mozilla received and responded this time, not like year ago, as I wrote before). So for now I'm not planning to post these new holes into Bugzilla, but if there will be no response, I'll think about posting them to your bagtrack.
Jesse Ruderman.

1st, it's not just hang, because the amount of nested marquees can be made very large which will completely freezes Firefox at any computer (with any hardware, even powerful computers).

2nd, when I wrote to Mozilla (in September 2008), Dan Veditz answer me and confirmed that this is security vulnerability.

You just need to fix it (which you didn't do for now).

About this vulnerability I must note, that you not only didn't fix it, but also made this DoS hole more dangerous.

As I wrote at my site (in January) about DoS vulnerability in SeaMonkey (, this issue with nested marquees works in SeaMonkey. And it crashes completely. And as wrote (in February) Thierry Zoller (, Firefox 3.0.6 also crashes completely.

I checked my exploit for Firefox (which makes CPU overload DoS in Firefox 3.0.1) and confirmed that it crashes Firefox 3.0.6. And recently I also checked my exploit in Firefox 3.0.9 and found that browser freezes completely. So hole still exists.

You need to fix this vulnerability, as others which I wrote you about (by email). And also Properties not-inheritance vulnerability in Mozilla Firefox (, which I posted to bugzilla recently.
Whiteboard: [sg:dos]
Depends on: 454465
No longer depends on: 454465
Ever confirmed: true
(In reply to comment #1)
> Created attachment 337715 [details]
> reporter's testcase
> The current contents of

Crashes my Firefox 4.0b7 on 32 bit Windows 7.
Comment 9 is a too-much-recursion crash (not exploitable).
For what it's worth, this makes my plugin container crash while trying to access 00022272, which doesn't really seem right.

Following the reporter's steps I am able to confirm that the issues doesn't happen anymore on Windows 10x64, Ubuntu 20.04 on any of the current versions of Firefox Nightly 87.0a1 (2021-02-18), beta 86.0 and release 85.0.2. No crashes occur under the given test case.

Closing this issue as Resolved > Worksforme.
Feel free to re-open or file a new bug if this issue reoccurs again.

Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.