Bug 151477

Summary: Konqueror segfault when parsing too large string as javascript object( jQuery)
Product: [Applications] konqueror Reporter: Dennis Noordsij <dennis.noordsij>
Component: kjsAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: maksim
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:

Description Dennis Noordsij 2007-10-28 20:11:29 UTC 
Version:           3.5.8 (using KDE 3.5.8, Debian Package 4:3.5.8.dfsg.1-1 (lenny/sid))
Compiler:          Target: i486-linux-gnu
OS:                Linux (i686) release 2.6.18-4-686

I have prepared a test page where you can see this in action, see page for instructions.

http://www.mijnletsel.nl/resources/crashkonqueror.html

Summary:
  - use jQuery
  - use $( some_string )  to parse some_string into DOM objects, where some_string.length is fairly large (few kb). Works for small strings, segfaults konqueror on larger strings.
Comment 1 Dennis Noordsij 2008-01-12 14:10:37 UTC 
Just checked, it also crashes Konqueror in KDE 4.0.0. (using Kubuntu packages).
Comment 2 Maksim Orlovich 2008-01-12 17:06:20 UTC 
libpcre (the library we delegate regular expressions to) runs out of stackspace on that regexp, and hence crashes. The best I can do w/that is make it abort the search, but in that case, there is no guarantee that any search results will be valid. Could you perhaps tell me what the implications of that are in this case?
Comment 3 Dennis Noordsij 2008-01-12 17:23:58 UTC 
The jQuery javascript toolkit uses (apparently) regular expressions to parse a received html snippet into real DOM. If the search is aborted, konq should not continue to run the script as nothing good can come from that.

It could be treated as a javascript error? (not familiar with kjs internals so I don't know if that makes sense)

Stopping the script would be at most an inconvience, and much better than losing the whole browser! :)
Comment 4 Maksim Orlovich 2008-01-13 19:41:39 UTC 
SVN commit 760932 by orlovich:

Limit stack usage of libPCRE (and raise an exception when it runs out of 
stack space, for diagnosibility).

Also, do not accept some super old (>4 year old) pcre versions; 
as they can severely cripple regexp support, and intefere with 
this bugfix. Also tweak the message about missing PCRE in configure 
check --- libPCRE doesn't result in "better" regexp support; the support
w/o it is a last-resort fallback...

Based on patch by Sune Vuorela (username debian, hostname pusling, tld com)
BUG:149191
BUG:151477


 M  +10 -1     CMakeLists.txt  
 M  +22 -8     regexp.cpp  
 M  +1 -1      regexp.h  
 M  +19 -3     regexp_object.cpp  
 M  +6 -1      regexp_object.h  
 M  +13 -6     string_object.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=760932
Comment 5 Maksim Orlovich 2008-01-13 20:06:59 UTC 
SVN commit 760945 by orlovich:

Regression test for #149191, #151477
CCBUG:149191
CCBUG:151477


 M  +7 -0      RegExp.js  


WebSVN link: http://websvn.kde.org/?view=rev&revision=760945