612313 - Application freeze (and maybe crash) while adding a too long description in a property of a bookmark.

Status: RESOLVED INACTIVE

(Firefox :: Bookmarks & History, defect)

Description

[Darxis]

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7

While changing the description of a bookmark to a too long description, Firefox freeze. Maybe a buffer overflow?

Reproducible: Always

Steps to Reproduce:
1. Open the properties of any bookmark.
2. Change the description to a very long description
3. It freeze, and won't unfreeze until terminating process.
Actual Results:  
Firefox freeze and that's all. I think it is maybe a buffer overflow?

Comment 1

[Darxis]

And i would like to add that after doing these steps to crash Firefox, when you want to open the properties of the edited bookmark firefox crash.

Comment 2

[Daniel Veditz [:dveditz]]

How do you change the description of a bookmark, and roughly what is "too long"? Are you typing the description (sitting on key repeat?), or pasting from the clipboard? Have you found a programmatic way to do this? If the clipboard you must have some idea how much text is there. If the keyboard method, about how long do you type before it's "too long"?

How do you "open the properties"? Are you clicking on the star to bring up the quick-edit box? Are you going into the "Show all bookmarks" dialog from the Bookmarks menu? Are you using the Bookmark sidebar?

The only problem I've seen is what's described in Bug 607524, I haven't seen any crashes. If you have crashed did you submit crash reports to Mozilla? If so you should have crash ID's if you open the page about:crashes (type that into the address bar and hit enter). Copy the IDs that correspond to this problem into this bug so we can look them up.

Comment 3

[Daniel Veditz [:dveditz]]

Using the long title from bug 607524 (9M chars) and pasting it into the description box I do end up with terrible hangs and Firefox sucks up huge, unreasonable, amounts of memory if I try to do something with that bookmark. It probably would have crashed if I were using a machine with limited memory.

Un-hiding the bug since it's a self-inflicted denial-of-service, not something an attacker can do to people (unlike bug 607524 where the name field is set from an attacker-supplied <title> if the attacker can lure a victim to bookmark the page).

An easy solution is to simply cap the description length. It's a tiny little editing box, there is absolutely no earthly use for a description that's millions of characters long. Even a few thousand characters seems pretty excessive.

The hang seemed to be in layout code so there may be a performance issue we could fix that would also help web pages with long unbroken lines.

Comment 4

[Daniel Veditz [:dveditz]]

> not something an attacker can do to people

I take that back. You'd still have to lure the person to bookmark your evil page, but if they did

   <meta name="description" content="longstuffhere">

does the trick. Pretty painful for the average user to get rid of, although they can avoid the hang by not messing with that bookmark. I had to use the SQLite Manager add-on to clear it because I stupidly tested on a bookmark I wanted to keep, but that process would be completely mystifying--and likely data-destructive--to the average user. I didn't test simply removing the bookmark and re-adding it; that probably gets around the DoS.

Comment 5

[Darxis]

Yes you are right, it is the same bug as 607524.

Comment 6

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.