151477 – Konqueror segfault when parsing too large string as javascript object( jQuery)

Bug 151477 - Konqueror segfault when parsing too large string as javascript object( jQuery)

Summary: Konqueror segfault when parsing too large string as javascript object( jQuery)

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	kjs (show other bugs)
Version:	unspecified
Platform:	unspecified Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-10-28 20:11 UTC by Dennis Noordsij
Modified:	2008-01-13 20:07 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Noordsij 2007-10-28 20:11:29 UTC

Version:           3.5.8 (using KDE 3.5.8, Debian Package 4:3.5.8.dfsg.1-1 (lenny/sid))
Compiler:          Target: i486-linux-gnu
OS:                Linux (i686) release 2.6.18-4-686

I have prepared a test page where you can see this in action, see page for instructions.

http://www.mijnletsel.nl/resources/crashkonqueror.html

Summary:
  - use jQuery
  - use $( some_string )  to parse some_string into DOM objects, where some_string.length is fairly large (few kb). Works for small strings, segfaults konqueror on larger strings.

Comment 1 Dennis Noordsij 2008-01-12 14:10:37 UTC

Just checked, it also crashes Konqueror in KDE 4.0.0. (using Kubuntu packages).

Comment 2 Maksim Orlovich 2008-01-12 17:06:20 UTC

libpcre (the library we delegate regular expressions to) runs out of stackspace on that regexp, and hence crashes. The best I can do w/that is make it abort the search, but in that case, there is no guarantee that any search results will be valid. Could you perhaps tell me what the implications of that are in this case?

Comment 3 Dennis Noordsij 2008-01-12 17:23:58 UTC

The jQuery javascript toolkit uses (apparently) regular expressions to parse a received html snippet into real DOM. If the search is aborted, konq should not continue to run the script as nothing good can come from that.

It could be treated as a javascript error? (not familiar with kjs internals so I don't know if that makes sense)

Stopping the script would be at most an inconvience, and much better than losing the whole browser! :)

Comment 4 Maksim Orlovich 2008-01-13 19:41:39 UTC

SVN commit 760932 by orlovich:

Limit stack usage of libPCRE (and raise an exception when it runs out of 
stack space, for diagnosibility).

Also, do not accept some super old (>4 year old) pcre versions; 
as they can severely cripple regexp support, and intefere with 
this bugfix. Also tweak the message about missing PCRE in configure 
check --- libPCRE doesn't result in "better" regexp support; the support
w/o it is a last-resort fallback...

Based on patch by Sune Vuorela (username debian, hostname pusling, tld com)
BUG:149191
BUG:151477


 M  +10 -1     CMakeLists.txt  
 M  +22 -8     regexp.cpp  
 M  +1 -1      regexp.h  
 M  +19 -3     regexp_object.cpp  
 M  +6 -1      regexp_object.h  
 M  +13 -6     string_object.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=760932

Comment 5 Maksim Orlovich 2008-01-13 20:06:59 UTC

SVN commit 760945 by orlovich:

Regression test for #149191, #151477
CCBUG:149191
CCBUG:151477


 M  +7 -0      RegExp.js  


WebSVN link: http://websvn.kde.org/?view=rev&revision=760945