Closed
Bug 479499
Opened 16 years ago
Closed 12 years ago
The testcase from bug 460706 can hang
Categories
(Core :: XML, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.1 | --- | ? |
People
(Reporter: martijn.martijn, Assigned: mrbkap)
References
()
Details
(Keywords: hang, testcase, Whiteboard: [sg:dos])
Attachments
(2 files)
74.82 KB,
application/xhtml+xml
|
Details | |
1.14 KB,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
The testcase from bug 460706, https://bugzilla.mozilla.org/attachment.cgi?id=343855 , can hang.
It doesn't happen always, if it doesn't happen for you, try reloading it a couple of times.
Marking this bug security sensitive, since bug 460706 is also security sensitive.
Reporter | ||
Comment 1•16 years ago
|
||
Testcase that automatically reloads after a couple of hundred ms. This is pretty quickly hanging in current trunk build for me.
Assignee | ||
Comment 2•16 years ago
|
||
This is a non-exploitable hang.
I'm not exactly sure how this happens, but we end up with start being past end. I think it might have to do with mExpatBuffered + start.size_forward() allowing us to jump past |end|, but I haven't proved it.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #363424 -
Flags: superreview?(peterv)
Attachment #363424 -
Flags: review?(peterv)
Updated•16 years ago
|
Attachment #363424 -
Flags: superreview?(peterv)
Attachment #363424 -
Flags: superreview+
Attachment #363424 -
Flags: review?(peterv)
Attachment #363424 -
Flags: review+
Comment 3•16 years ago
|
||
Comment on attachment 363424 [details] [diff] [review]
Proposed fix
We also use end in the block for NS_FAILED(mInternalState). It's ok to not update it there I think, we're looking for a newline in the buffer that we tried to parse. We'll just use less than the data that we do have at our disposal but since it's for error reporting that's no big deal.
Assignee | ||
Comment 4•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•16 years ago
|
||
I'm going to wait to enable the crashtest for this bug (and bug 460706) until I have a chance to run it.
Flags: in-testsuite?
Comment 8•16 years ago
|
||
This crashtest is hanging on mozilla-central right now. See, e.g. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1236077322.1236085244.18044.gz
I think we should disable it, and re-open this bug.
Comment 9•16 years ago
|
||
Backed out, re-disabling the test:
http://hg.mozilla.org/mozilla-central/rev/c395bb2cf30a
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•16 years ago
|
Group: core-security
Whiteboard: [sg:dos]
Comment 10•16 years ago
|
||
Blake: Any update here? Hanging on that testcase isn't much better than crashing. :)
status1.9.1:
--- → ?
Flags: wanted1.9.0.x?
Assignee | ||
Comment 11•16 years ago
|
||
Sure it is, you can't exploit a hang! :) I'll look into this as soon as I get a chance.
Assignee | ||
Comment 12•12 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 16 years ago → 12 years ago
Flags: wanted1.9.0.x?
Resolution: --- → FIXED
Comment 13•12 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•