If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Readily embeddable DOS: crafted infinite deflated content locks up Firefox




Networking: HTTP
5 years ago
5 years ago


(Reporter: Cathy J. Fitzpatrick, Unassigned)



Firefox Tracking Flags

(Not tracked)





5 years ago
+++ This bug was initially created as a clone of Bug #831749 +++

User Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121130221523

Steps to reproduce:

Currently, Firefox (tested on 17.0.1 on GNU/Linux) locks up when attempting to load deflated content when (a) the content does not end and (b) the content is sent in sufficiently large chunks.

For proof of concept, see http://shared.cathyjf.com/crafted-image.png which is a crafted "image" that should lock up Firefox within a couple seconds, rendering it nonresponsive to any further input. This image can be embedded on other pages, and then those pages will lock up Firefox as well. It's probably even more potent if you embed multiple of these images on one page.

One potential application of this issue is that anybody could post something like [img]http://shared.cathyjf.com/crafted-image.png[/img] on a forum and then any Firefox users viewing the forum would be locked up. Similarly, the crafted image could be embedded on any web site that allows Markdown, such as GitHub,

The crafted-image.png file is actually a trivial PHP program, specifically the following program:

header('Content-type: image/png');
$s = sprintf("%60000u\n", 0);
while (true) echo $s;

To deploy on Apache, you would have to set something like this in the .htaccess file:

AddOutputFilterByType DEFLATE image/png

Actual results:

http://shared.cathyjf.com/crafted-image.png causes Firefox to lock up

Expected results:

Firefox should not lock up

Comment 1

5 years ago
This bug was originally posted with the secret flag set; however, no one looked at it so clearly it's not considered very important. I would just remove the secret flag but that doesn't appear to be possible.


5 years ago
Version: 17 Branch → unspecified

Comment 2

5 years ago
This bug also exists on Firefox 18.
That is only a DOS, right ?
There are millions of ways to DOS a browser.....
I can't access bug 831749 but from the bug# it's only a few days old.
Component: General → Networking: HTTP
Keywords: hang

Comment 4

5 years ago
Yes I realise it is not that serious, that is why I made this non private version. The original version should not have been private, but I am not able to remove the secret flag.
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 831749
You need to log in before you can comment on or make changes to this bug.