Dos problem with marquee tag

confirmed
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040402
Firefox/0.8.0+

Created attachment 148963
Attached testcase

Same testcase as mentioned before.

It hangs on my computer too, but when I have javascript turned off, it doesn't
hang.

I see this also in Mozilla1.7RC2

with a recent moz cvs trunk build all I see Javascript errors about too much
recursion, no "hang". fixed?

ok spoke too soon, will investigate

a slightly different testcase from bug 265027
https://bugzilla.mozilla.org/attachment.cgi?id=162508&action=view

no <dl>s just <marquee>s with huge height attributes.

I split the marquee hang from comment 6 into bug 288931 as it is very different

Ok, with current trunk build it doesn't hang anymore, it's just slow.
With Mozilla1.7, I hang, so something has definetely improved since then.

This is still an issue, confirmed with Firefox 1.5.0.3. Also, this issue has been posted to BugTraq (which is where I learned of it), so visibility is likely to soon rise.

A fix would really be a good thing.

Confirmed with Bon Echo using BugTraq example.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060530 BonEcho/2.0a3

Created attachment 223870
BugTraq Testcase

Should have attached this to my last post.

Confirmed using testcase on WinXP SP1 w/ FF 1.5.0.3. I saw this on BugTraq, also. I'm surprised this hasn't been fixed yet...

*** Bug 339954 has been marked as a duplicate of this bug. ***

Using BugTraq test case.

Confirmed in:

Firefox Current Release -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Mozilla Latest Nightly -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702

WFM in:

Firefox Latest Trunk Nightly -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060601 Minefield/3.0a1

Seems to be fixed in the trunk.

Confirmed for me in 1.5.0.4, WinXP/SP1.

fixing up title for searching (added nested, de-emphasizing DL tags), indicating relation to Bug #339954 .

Original title: "hang when many <dl> and <marquee> tags are used. exponential time increase depending on number of <dl> tags.."

New title: "hang when many nested <marquee> tags are used. exponential time increase"

*** Bug 339954 has been marked as a duplicate of this bug. ***

Dup of bug 277208? (Which is fixed on trunk, btw)

Can confirm that the first Attached testcase still hangs 2.0.

David

Was there anything in this bug to make you think it was fixed for 2.0?
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

(In reply to comment #18)
> Dup of bug 277208? (Which is fixed on trunk, btw)
>

Definitely not. Testcase still kills the trunk.

(In reply to comment #21)
> Definitely not. Testcase still kills the trunk.

Oops, yes, it is now crashing current trunk builds, this is something new, I filed bug 363722 for it. This bug is for the hanging issue (which may return after bug 363722 gets fixed).

This seems to have been assigned a CVE, though not specific to firefox: CVE-2006-6954

There are another example (exploit) on the following link

http://milw0rm.com/exploits/3606

The marquee tags are placed before the head tag.

... and earlier http://milw0rm.com/exploits/1867

CVE-2006-2723 is more appropriate, -6954 seems to be the Flock variant of the same thing.

It still happens quite frequently for me when opening certain myspace.com profiles. (with v2.0.0.11)

Thanks for the report, but please consider the Bugzilla etiquette guidelines before posting more "me too" comments in the future so that developers can more easily see the relevant information in a bug and so that people CCed to a bug (like myself) aren't needlessly spammed.
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

*** Bug 338474 has been marked as a duplicate of this bug. ***

*** Bug 432199 has been marked as a duplicate of this bug. ***

This doesn't happen with our new Marquee implementation.

This was fixed via bug 1425874.