Closed Bug 483209 Opened 15 years ago Closed 14 years ago

[HTML5] The HTML5 parser needs limits on internal buffer growth

Categories

(Core :: DOM: HTML Parser, defect, P2)

Product:
Core
Component:
DOM: HTML Parser
Version:
Other Branch
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: hsivonen, Assigned: hsivonen)

References

Details

(Whiteboard: [sg:dos]) 

The internal buffers of the HTML5 parser probably shouldn't grow until OOM, if an attacker sends an infinite file.
Priority: -- → P2
Blocks: html5-parsing
Whiteboard: [sg:dos]
Blocks: 507119
Status: NEW → ASSIGNED
Blocks: 542268
http://hg.mozilla.org/mozilla-central/rev/a0f0fde99844

This puts a hard limit on everything except the list of formatting elements. I'll leave this open until either:
 1) I figure out how a limit on the list of formatting elements should behave.
or
 2) I convince myself that having a limit on the stack is enough and has the right side effects.
Depends on: 554513
The previous attempt to fix this by guesswork wasn't successful and caused bug 554513.

As far as I can tell, the old parser only has a limit of 200 on the depth of the stack. I left the same limit in the HTML5 parser. (IIRC, the old sink previously had a limit of 4096 PRUnichars on the text node size, but I can no longer find that limit, so I guess it has been removed.)

Except for the stack limit of 200, I'm inclined to mark this bug WONTFIX on the basis that the old parser didn't have these limits.
Depends on: 555462
I filed bug 555899 to have a separate bug number for the FIXED part.

I'm now marking this one WONTFIX on the grounds that the old parser seems to allow buffers grow without limit.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.