Closed Bug 483209 Opened 11 years ago Closed 10 years ago
[HTML5] The HTML5 parser needs limits on internal buffer growth
The internal buffers of the HTML5 parser probably shouldn't grow until OOM, if an attacker sends an infinite file.
http://hg.mozilla.org/mozilla-central/rev/a0f0fde99844 This puts a hard limit on everything except the list of formatting elements. I'll leave this open until either: 1) I figure out how a limit on the list of formatting elements should behave. or 2) I convince myself that having a limit on the stack is enough and has the right side effects.
The previous attempt to fix this by guesswork wasn't successful and caused bug 554513. As far as I can tell, the old parser only has a limit of 200 on the depth of the stack. I left the same limit in the HTML5 parser. (IIRC, the old sink previously had a limit of 4096 PRUnichars on the text node size, but I can no longer find that limit, so I guess it has been removed.) Except for the stack limit of 200, I'm inclined to mark this bug WONTFIX on the basis that the old parser didn't have these limits.
I filed bug 555899 to have a separate bug number for the FIXED part. I'm now marking this one WONTFIX on the grounds that the old parser seems to allow buffers grow without limit.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.