User-Agent: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20040919 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20040919 Firefox/0.10.1 When copying large a few hundred kilobytes into a textarea in a form the browser crashes. It this is a buffer overflow thingy then it could be a security problem. If large amounts of text can be put in a textarea using html or javascript, then this could be exploitable. Reproducible: Always Steps to Reproduce: 1.open a page with a form with a textarea, like this one or http://slashdot.org/submit.pl. 2.open a tab with a large amount of text, i used http://www.gutenberg.net/dirs/etext97/1ws3610.txt from Project Gutenberg. 3.select all the text and copy it. then paste it a few times Actual Results: the browser window then promptly closes Expected Results: surely not a crash. maybe a message asking why i would want to put a few hundred kilobytes in a form.

Any evidence that this is indeed exploitable? If yes, please write to security@ again.

Can't repro on Windows XP. For anyone trying this on Linux note the reporter is running on PPC hardware which might make a difference. Changing component, there's nothing Firefox-specific about textareas. Even though I can't confirm the crash I'm going to assume that if it's platform-specific it's not an exploit in Mozilla code. Removing security flag so this bug can get more scrutiny, especially since Linux PPC has fewer testers.

Couldn't repro on Linux (x86) either. Either it was a bug fixed since the old build you have (please test with a new build) or it's PPC only. Would be important to know which.

how do i build a more recent firefox? i got my build from http://www.thecodefactory.org/mozilla/ they have seem to have the compile options i'd need. where do i get the latest source from?

worksforme with linux trunk 20041026 and 1.7.3 1.8a4 source: http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.8a4/src/ trunk source: http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest/ (you don't want to buid firefox from those, just Mozilla/Seamonkey)

built mozilla from http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest/ Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8a5) Gecko/20041027 it still crashes when following through my steps. i have tried making a html page with a large amount of text between textarea tags, and that did not seem to crash. has anyong else on ppc linux got this to crash? what about macosx? i am running yellowdog 4, on a powerbook G4 with 512mb ram, kde 3.2

can you get a stack trace from your build? make sure you've compiled without --enable-strip for bonus points, compile with --enable-optimize="-O -g" or even --enable-debug. the resulting build will be very large

last messages in terminal when mozilla crashes (with a debug build) window moved to offscreen position window moved to offscreen position Gdk-ERROR **: BadWindow (invalid Window parameter) serial 53683 error_code 3 request_code 18 minor_code 0 nsStringStats => mAllocCount: 37369 => mReallocCount: 6580 => mFreeCount: 29558 -- LEAKED 7811 !!! => mShareCount: 35295 => mAdoptCount: 5232 => mAdoptFreeCount: 5140 -- LEAKED 92 !!!

start with: ./mozilla -g -d gdb --sync then hit Ctrl-C and (gdb) b exit (gdb) cont [make mozilla crash] (gdb) bt [copy/paste output of "bt" into a file and attach the file to this bug]

oops... ./mozilla -g -d gdb --sync (gdb) b exit (gdb) run [make mozilla crash] ...

looks like a gtk problem

Reporter, what exact gtk version are you using? It looks like GTK does its usual thing and just calls exit() instead of reporting a useful (and catchable) error to the caller...

i am running the gtk that came with yellow dog linux 4. it seems to have come in the package gtk2-2.4.0-1.ydl.2.ppc.rpm implying 2.4.0 with possibly some vendor patches.

*** Bug 297666 has been marked as a duplicate of this bug. ***

Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 the text i copied has 1,3 MB

Does this happen with a trunk build?

(In reply to comment #17) > Does this happen with a trunk build? I had used this firefox: http://download.mozilla.org/?product=firefox-1.0.4&os=linux&lang=de-DE but perhaps it is an error in kde (3.4.1 SuSE RPMs)? i do not know much about all this stuff but i am able to copy the text from one kde-application to another

(In reply to comment #17) if i copy that text from firefox textarea to another firefox textarea i got an crash but copying that text to an kde-application is no problem (i takes a few secounds) and than, i am not able to copy the text back to the firefox textarea.

> I had used this firefox: That's using the more-than-a-year-old 1.7 branch of the rendering engine. Could you please try the Deer Park preview or a current nightly build?

Confirm of this problem with Firefox 1.5.0.5 on Kubuntu 6.06 (gtk 2.4.0) When I paste large amounts of text in a textarea, Firefox exits unexpectedly. Konqueror doesn't seem to have this problem.

Is that a mozilla.org Firefox build? If so, do you have a talkback incident ID? If you run it from the command line, are there any error messages printed to that terminal?

Hi, thanks for your quick reply. Appreciate it. This is an install from the ubuntu main repository. The package name is simply 'firefox'. I don't get a talkback incident ID. Firefox just crashes suddenly. I do get a message when I run firefox from the command line: The program 'Gecko' received an X Window System error. This probably reflects a bug in the program. The error was 'BadWindow (invalid Window parameter)'. (Details: serial 78267 error_code 3 request_code 18 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.)

Ah, wonderful. The usual thing -- X sends an error to GDK, and GDK calls exit() without allowing the application to handle the error. :( > I don't get a talkback incident ID. Right. You only get those with Mozilla.org builds, and the one you're using is built by Ubuntu.... And talkback wouldn't come up in this case anyway, because this is not a crash; this is a part of the program (that we unfortunately don't control) deciding it's time to quit. Would it be possible for you to check whether the problem is reproducible with a Mozilla.org build of Firefox? You should be able to just download one to /tmp, untar it there, and run it from there.

Ok, I just downloaded from http://www.mozilla.com/products/download.html?product=firefox-1.5.0.6&os=linux&lang=en-US the newest mozilla.org build (1.5.0.6) and got exactly the same error.

Oh, by the way: I think bug #228475 is related to this bug. I've added a comment to that bug also. Bug #228475 is actually more serious as it crashes my entire X-server taking down all running applications with it. This leaves me crying for the unsaved work I've lost ;-)

_maybe_ bug 210931 will help here. :( Past that, please file bugs on the GDK developers. We wish they'd just pass the error back to us so we can handle it instead of bringing down the app. :(

I can't reproduce this problem on a Mac with this testcase. Asking bjacob to reproduce with this testcase on Linux

With the following testcase bjacob get performance that is a bit slow. We compared with chrome and they are significantly slower and shows a garbled url bar. A related bug could be open to address some performance issue however we are talking about multiple copy and paste of 700KB text chunks. Please reopen if you can reproduce this issue.