Closed
Bug 473914
Opened 16 years ago
Closed 16 years ago
Crash due to too much recursion in nsCSSScanner::Next with many adjacent comments
Categories
(Core :: CSS Parsing and Computation, defect, P4)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
| Tracking | Status | |
|---|---|---|
| status1.9.1 | --- | wanted |
People
(Reporter: jruderman, Assigned: dbaron)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] too much stack recursion)
Attachments
(3 files, 1 obsolete file)
|
342 bytes,
text/html
|
Details | |
|
4.12 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
|
7.80 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
No description provided.
|
Assignee | |
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → dbaron
|
|
Assignee | |
Comment 1•16 years ago
|
||
I'll attach a whitespace-ignoring diff of nsCSSScanner.cpp momentarily.
Attachment #357434 -
Flags: superreview?(bzbarsky)
Attachment #357434 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 2•16 years ago
|
||
Er, the whitespace-ignoring diff of nsCSSScanner.cpp (with less context, thanks to interdiff) is just:
--- a/layout/style/nsCSSScanner.cpp
+++ b/layout/style/nsCSSScanner.cpp
@@ -709,2 +709,3 @@
{
+ for (;;) { // Infinite loop so we can restart after comments.
PRInt32 ch = Read();
@@ -778,3 +779,4 @@
#endif
- return SkipCComment() && Next(aToken);
+ SkipCComment();
+ continue; // start again at the beginning
}
@@ -834,2 +836,3 @@
}
+}
|
||
Updated•16 years ago
|
Attachment #357434 -
Flags: superreview?(bzbarsky)
Attachment #357434 -
Flags: superreview-
Attachment #357434 -
Flags: review?(bzbarsky)
Attachment #357434 -
Flags: review-
|
|
||
Comment 3•16 years ago
|
||
Comment on attachment 357434 [details] [diff] [review]
patch
You need a similar change in NextURL(), right?
Also, shouldn't that look like:
if (!SkipCComment()) {
return PR_FALSE;
}
continue;
|
|
Assignee | |
Comment 4•16 years ago
|
||
(In reply to comment #3)
> You need a similar change in NextURL(), right?
Er, yes. I have NextURL massively modified in my tree, so that code isn't there anymore.
> Also, shouldn't that look like:
>
> if (!SkipCComment()) {
> return PR_FALSE;
> }
> continue;
Good point.
|
|
Assignee | |
Comment 5•16 years ago
|
||
This removes the bogus comment handling in NextURL that only did anything at the beginning of the URL or after whitespace, and was also broken since it recurred into Next rather than into NextURL.
Attachment #357434 -
Attachment is obsolete: true
Attachment #357452 -
Flags: superreview?(bzbarsky)
Attachment #357452 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 6•16 years ago
|
||
Updated to comments.
Attachment #357453 -
Flags: superreview?(bzbarsky)
Attachment #357453 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 7•16 years ago
|
||
Er, and the latter, with interdiff -w, is now:
--- a/layout/style/nsCSSScanner.cpp
+++ b/layout/style/nsCSSScanner.cpp
@@ -709,2 +709,3 @@
{
+ for (;;) { // Infinite loop so we can restart after comments.
PRInt32 ch = Read();
@@ -778,3 +779,6 @@
#endif
- return SkipCComment() && Next(aToken);
+ if (!SkipCComment()) {
+ return PR_FALSE;
+ }
+ continue; // start again at the beginning
}
@@ -834,2 +838,3 @@
}
+}
|
|
||
Updated•16 years ago
|
Attachment #357452 -
Flags: superreview?(bzbarsky)
Attachment #357452 -
Flags: superreview+
Attachment #357452 -
Flags: review?(bzbarsky)
Attachment #357452 -
Flags: review+
|
|
||
Updated•16 years ago
|
Attachment #357453 -
Flags: superreview?(bzbarsky)
Attachment #357453 -
Flags: superreview+
Attachment #357453 -
Flags: review?(bzbarsky)
Attachment #357453 -
Flags: review+
|
|
Assignee | |
Comment 8•16 years ago
|
||
Fixed:
http://hg.mozilla.org/mozilla-central/rev/e2c5c612df46
http://hg.mozilla.org/mozilla-central/rev/fefdf894b7ec
Status: NEW → RESOLVED
Closed: 16 years ago
Priority: -- → P4
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
|
Reporter | |
Updated•16 years ago
|
Blocks: jesse-css-grammar-fuzzer
|
||
Updated•16 years ago
|
Flags: in-testsuite+
|
||
Comment 10•16 years ago
|
||
The crash fix is worth taking on branches?
Flags: blocking1.9.1?
Whiteboard: [sg:dos] too much stack recursion
|
|
Assignee | |
Comment 11•16 years ago
|
||
No, since it's not exploitable and not something anybody is likely to hit due to anything other than artificially-constructed testcases.
|
||
Comment 12•16 years ago
|
||
per comment 11, not blocking 3.5 release; dunno if we want to get it in a .x release or not.
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.1-
|
||
Comment 13•16 years ago
|
||
http://crash-stats.mozilla.com/report/index/e38b500d-d50b-468e-a77e-3bf8e2090924?p=1 for 3.5.3 - from loading http://www.hixie.ch/tests/adhoc/css/parsing/core-syntax/comments/001.html can we get this into the 1.9.1 branch ?
blocking1.9.1: --- → ?
|
||
Updated•16 years ago
|
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x? → wanted1.9.0.x+
|
|
||
Updated•16 years ago
|
blocking1.9.1: ? → needed
|
|
||
Updated•16 years ago
|
blocking1.9.1: needed → ---
|
||
Comment 14•16 years ago
|
||
This is wanted for 1.9.1, but we won't block on it. If someone requests approval on a patch that applies, we'll likely take it.
You need to log in
before you can comment on or make changes to this bug.
Description
•