Bug 311680 - konqueror crashes on billion laughs xml
Summary: konqueror crashes on billion laughs xml
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 4.9.3
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-14 11:30 UTC by John Haxby
Modified: 2020-12-14 14:36 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description John Haxby 2012-12-14 11:30:08 UTC 
Application: konqueror (4.9.3)
KDE Platform Version: 4.9.3
Qt Version: 4.8.4
Operating System: Linux 3.6.9-2.fc17.x86_64 x86_64
Distribution: "Fedora release 17 (Beefy Miracle)"

-- Information about the crash:
- What I was doing when the application crashed:

Mainly to see what would happen :) I extracted the Billion Laughs xml from http://en.wikipedia.org/wiki/Billion_laughs and put it in a file and called
/tmp/billion.xml and ran:

    konqueror /tmp/billion.xml

konqueror opened up the window and then sat chewing CPU for quite a while and finally keeled over.  At the time it died, its RSS had reached 2.1GB.

This is a fairly well-known DoS attack and presumably could be triggered by visiting a suitably malicious web site.

-- Backtrace:
Application: Konqueror (konqueror), signal: Aborted
Using host libthread_db library "/lib64/libthread_db.so.1".
82	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
[Current thread is 1 (Thread 0x7fbc1ad1e880 (LWP 8053))]

Thread 2 (Thread 0x7fbc0ab58700 (LWP 8055)):
#0  0x00000030db4e8bdf in __GI___poll (fds=<optimized out>, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00000030dd447af4 in g_main_context_poll (n_fds=1, fds=0x7fbc04002bb0, timeout=-1, context=0x7fbc040009a0, priority=<optimized out>) at gmain.c:3440
#2  g_main_context_iterate (context=context@entry=0x7fbc040009a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3141
#3  0x00000030dd447c14 in g_main_context_iteration (context=0x7fbc040009a0, may_block=1) at gmain.c:3207
#4  0x00000033011a5fe6 in QEventDispatcherGlib::processEvents (this=0x7fbc040008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#5  0x00000033011766ef in QEventLoop::processEvents (this=this@entry=0x7fbc0ab57cd0, flags=...) at kernel/qeventloop.cpp:149
#6  0x0000003301176978 in QEventLoop::exec (this=0x7fbc0ab57cd0, flags=...) at kernel/qeventloop.cpp:204
#7  0x0000003301078940 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:542
#8  0x0000003301156f0f in QInotifyFileSystemWatcherEngine::run (this=0x15972b0) at io/qfilesystemwatcher_inotify.cpp:256
#9  0x000000330107b91c in QThreadPrivate::start (arg=0x15972b0) at thread/qthread_unix.cpp:338
#10 0x00000030dc007d14 in start_thread (arg=0x7fbc0ab58700) at pthread_create.c:309
#11 0x00000030db4f168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7fbc1ad1e880 (LWP 8053)):
[KCrash Handler]
#6  0x00000030db435935 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#7  0x00000030db4370e8 in __GI_abort () at abort.c:91
#8  0x00000030dfc60dad in __gnu_cxx::__verbose_terminate_handler () at ../../../../libstdc++-v3/libsupc++/vterminate.cc:95
#9  0x00000030dfc5eea6 in __cxxabiv1::__terminate (handler=<optimized out>) at ../../../../libstdc++-v3/libsupc++/eh_terminate.cc:40
#10 0x00000030dfc5eed3 in std::terminate () at ../../../../libstdc++-v3/libsupc++/eh_terminate.cc:50
#11 0x00000030dfc5f146 in __cxxabiv1::__cxa_rethrow () at ../../../../libstdc++-v3/libsupc++/eh_throw.cc:116
#12 0x0000003301176be4 in QEventLoop::exec (this=<optimized out>, flags=...) at kernel/qeventloop.cpp:218
#13 0x000000330117b768 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1218
#14 0x00000033074b0572 in kdemain (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/kde-baseapps-4.9.3/konqueror/src/konqmain.cpp:227
#15 0x00000030db421735 in __libc_start_main (main=0x400820 <main(int, char**)>, argc=2, ubp_av=0x7ffffd7d0658, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffffd7d0648) at libc-start.c:226
#16 0x0000000000400851 in _start ()

Possible duplicates by query: bug 308801, bug 308152, bug 306773, bug 306218, bug 305584.

Reported using DrKonqi
Comment 1 Dawit Alemayehu 2013-01-05 07:13:07 UTC 
Does not crash with the webkit engine. Actually the error is caught. It does however cause a lockup with the khtml engine.
Comment 2 Justin Zobel 2020-12-13 02:26:49 UTC 
Thank you for the crash report, John.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Comment 3 John Haxby 2020-12-14 14:30:55 UTC 
As of Konqueror 20.08.3 this no longer crashes: I just get a box with this:
~~~
This page contains the following errors:

error on line 15 at column 13: Detected an entity reference loop

Below is a rendering of the page up to the first error.
~~~
so I think we can safely say that this works as expected now.
Comment 4 John Haxby 2020-12-14 14:36:09 UTC 
Working version information:

Application: konqueror (20.08.3)
KDE Frameworks 5.75.0
Qt Version: 5.15.2
Operating System: Linux 5.9.13-200.fc33.x86_64Linux 3.6.9-2.fc17.x86_64
Distribution: "Fedora 33 (Thirty Three)"