831749 - Crafted infinite deflated content locks up Firefox

Status: RESOLVED INCOMPLETE

(Core :: Networking: HTTP, defect, P5)

Description

[Cathy J. Fitzpatrick]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121130221523

Steps to reproduce:

Currently, Firefox (tested on 17.0.1 on GNU/Linux) locks up when attempting to load deflated content when (a) the content does not end and (b) the content is sent in sufficiently large chunks.

For proof of concept, see http://shared.cathyjf.com/crafted-image.png which is a crafted "image" that should lock up Firefox within a couple seconds, rendering it nonresponsive to any further input. This image can be embedded on other pages, and then those pages will lock up Firefox as well. It's probably even more potent if you embed multiple of these images on one page.

One potential application of this issue is that anybody could post something like [img]http://shared.cathyjf.com/crafted-image.png[/img] on a forum and then any Firefox users viewing the forum would be locked up.

The crafted-image.png file is actually a trivial PHP program, specifically the following program:

<?php
header('Content-type: image/png');
$s = sprintf("%60000u\n", 0);
while (true) echo $s;
?>

To deploy on Apache, you would have to set something like this in the .htaccess file:

AddOutputFilterByType DEFLATE image/png


Actual results:

http://shared.cathyjf.com/crafted-image.png causes Firefox to lock up


Expected results:

Firefox should not lock up

Comment 1

[Cathy J. Fitzpatrick]

Public version at Bug #832586.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Opening per Cathy's request.

Comment 4

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 5

[Andrei Purice]

Marking this as Resolved > Incomplete as the reporter cannot be contacted for a confirmation of the issue.
If anyone can still repro the issue please re-open it or file a new bug.