RESOLVED FIXED 40447
Infinite loop in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded 
https://bugs.webkit.org/show_bug.cgi?id=40447
Summary Infinite loop in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded
Gustaaf Groenendaal (MysteryQuest)
Reported 2010-06-10 14:30:19 PDT
Original bug here: https://bugs.webkit.org/show_bug.cgi?id=40304 Opening the page provided in the original bug: ( http://j.benzakoun.free.fr/JSNE/JavaScriptNoteEditor_b2/index.php?loadid=13&key=d16ad39b783f65e55410ab5d8ca9b4ab ) Seems to start a buffer overflow in: Web Inspector -> recources -> <file> -> contents Can confirm that this is happening on all Macs with 10.5 and up where Safari 5 or Nightly installed. Needs a check on other platforms to see if this is Mac only or not. Credit to the original reporter. Passing this on as a security bug as I don't know the risk of the cause of this bug being available in public.
Attachments
Fix performance / memory allocation problem (5.46 KB, patch)
2011-06-28 06:07 PDT, eustas.bug 		no flags
DetailsFormatted DiffDiff
Fix performance / memory allocation problem (5.47 KB, patch)
2011-06-30 01:38 PDT, eustas.bug 		pfeldman: review-
DetailsFormatted DiffDiff
Fix performance / memory allocation problem (5.74 KB, patch)
2011-06-30 05:15 PDT, eustas.bug 		pfeldman: review-
DetailsFormatted DiffDiff
WebInspector: Fix performance / memory allocation problem (5.78 KB, patch)
2011-06-30 08:05 PDT, eustas.bug 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2010-06-30 17:09:17 PDT
This appears to be a denial-of-service (DoS) attack, or at least a performance issue. I see a lot of RAM being allocated when tapping on the "Content" tab of "index.php" in the Web Inspector, but nothing else. I think this should be duped back to Bug 40304 unless there is more information available. (Can you attach a crash log, Gustaaf?)
Pavel Feldman
Comment 2 2010-07-01 00:43:47 PDT
It is just an infinite loop in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded. I'll fix it.
David Kilzer (:ddkilzer)
Comment 3 2010-09-21 17:21:23 PDT
(In reply to comment #2) > It is just an infinite loop in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded. I'll fix it. Does this really need to be in Security if it's an infinite loop?
David Kilzer (:ddkilzer)
Comment 4 2011-03-15 10:02:49 PDT
(In reply to comment #3) > Does this really need to be in Security if it's an infinite loop? Removing from Security group.
eustas.bug
Comment 5 2011-06-28 06:07:44 PDT
Created attachment 98905 [details] Fix performance / memory allocation problem
Pavel Feldman
Comment 6 2011-06-29 06:29:19 PDT
Comment on attachment 98905 [details] Fix performance / memory allocation problem View in context: https://bugs.webkit.org/attachment.cgi?id=98905&action=review Looks good. Please fix the log entry at least. > Source/WebCore/ChangeLog:5 > + Infinite loop in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded You should change the log entry in case it was not in fact an infinite loop. Also, please start bug title with the "Web Inspector:". > Source/WebCore/inspector/front-end/TextEditorModel.js:152 > + var sum = 0; I'd rename "sum" to the "offset". > Source/WebCore/inspector/front-end/TextEditorModel.js:164 > + if (line.length > caretIndex) { no need for { } > LayoutTests/inspector/editor/text-editor-model-replace-tabs.html:15 > + InspectorTest.addResult("Output length:" + lines[0].length + ", output matches sample:" + (lines[0] === sampleOutput)); We would typically dump "text" and "sampleOutput" instead. It is way more informative.
eustas.bug
Comment 7 2011-06-30 01:38:40 PDT
Created attachment 99255 [details] Fix performance / memory allocation problem
Pavel Feldman
Comment 8 2011-06-30 01:48:06 PDT
Comment on attachment 99255 [details] Fix performance / memory allocation problem View in context: https://bugs.webkit.org/attachment.cgi?id=99255&action=review > Source/WebCore/ChangeLog:5 > + Performance / memory allocation issue in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded Web Inspector: prefix missing > LayoutTests/ChangeLog:5 > + Performance / memory allocation issue in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded ditto > LayoutTests/inspector/editor/text-editor-model-replace-tabs-expected.txt:16 > +[] It'd be nicer to print results side by side with the source lines. You should also render tab as \t in the source to avoid possible confusions (I have tab rendered as 8 spaces in my settings). > LayoutTests/inspector/editor/text-editor-model-replace-tabs.html:35 > + result = "FAIL: time limit (100ms) exceeded (execution time: " + duration + "ms)" This won't work on the bots. Things may take seconds there. Please do not test performance in the layout tests - they become flaky. As we agree, measuring correctness is sufficient.
eustas.bug
Comment 9 2011-06-30 05:15:17 PDT
Created attachment 99278 [details] Fix performance / memory allocation problem
Pavel Feldman
Comment 10 2011-06-30 06:21:58 PDT
Comment on attachment 99278 [details] Fix performance / memory allocation problem View in context: https://bugs.webkit.org/attachment.cgi?id=99278&action=review > Source/WebCore/ChangeLog:5 > + Performance / memory allocation issue in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded Please add WebInspector: prefix. > LayoutTests/ChangeLog:5 > + Performance / memory allocation issue in WebInspector.TextEditorModel.prototype._replaceTabsIfNeeded Ditto > LayoutTests/inspector/editor/text-editor-model-replace-tabs.html:12 > + var input = testCases[i]; weird indent, otherwise looks good. > LayoutTests/inspector/editor/text-editor-model-replace-tabs.html:22 > + var bufT = []; nit: no abbreviations in webkit (bufferT & bufferS)
eustas.bug
Comment 11 2011-06-30 08:05:12 PDT
Created attachment 99303 [details] WebInspector: Fix performance / memory allocation problem
WebKit Review Bot
Comment 12 2011-06-30 23:50:26 PDT
Comment on attachment 99303 [details] WebInspector: Fix performance / memory allocation problem Clearing flags on attachment: 99303 Committed r90209: <http://trac.webkit.org/changeset/90209>
WebKit Review Bot
Comment 13 2011-06-30 23:50:31 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.