Crash Chrome With 16 Characters

An anonymous reader writes: Remember when it took just eight characters to crash Skype? Apparently it takes double that to take out Chrome: Typing in a 16-character link and hitting enter, clicking on a 16-character link, or even just putting your cursor over a 16-character link, will crash Google's browser. To try it yourself, fire up Chrome 45 (the latest stable version) or older and put this into your address bar: http: //a/%%30%30 (without the space).

It's not just Chrome

[Duckman5]

I just fired up Opera (shares the Blink engine) and gave it a try. Sure enough, it crashed and restarted. Wonder where the issue is...

Re:

[Shinobi]

Vivaldi crashes too, on Windows and Linux.

Does not crash Chromium

[Anonymous Coward]

According to TFS, it should work on v45 and older. It does not crash Chromium. I entered "http: //a/%%30%30" (without the quotes) then "http://a/%%30%30" (without the quotes) into the address bar, and it just took me to the Startpage web search in both cases (as it should). FWIW, I'm using Chromium Version 44.0.2403.89 Ubuntu 14.04 (64-bit), on Xubuntu 14.04.

Re:

[Rei]

Doesn't crash me either. google-chrome 43.0.2357.134, Fedora 22.

Re:

[bbruun]

Same here on 44.0.2403.155 (64bit).
Using the http://a/%2500 [a] version just brings up a blank page and using just //a/%%30%30 brings up an unknown file page

I'm fustrated, has /. become a text version of bad tumblr GIF's?

Re:

[Chris Mattern]

It does not crash Chromium.

Crashes my Chromium quite nicely, thank you. About says it's "Version 45.0.2454.85 Built on 8.1, running on Debian 8.2 (64-bit)". Just entering it on the URL line doesn't do anything, but as soon as I hit enter, boom, Chromium just terminates. Ah, the joys of being up-to-date on your patches...

Re:

[daniel23]

Crashes (or more precisely: starts to redirect and then proceeds to close down all instances) as soon as I hit enter
Chromium Version 45.0.2454.93 (64-bit) on Arch Linux

Re:Does not crash Chrome on my Win7 laptop

[elwinc]

It does not crash the copy of Chrome running on my Win7 machine. I let the machine automatically update when it feels like it; the machine is currently running Chrome 45.0.2454.93

When I paste http: //a/%%30%30 into the address bar, I seem to get a web search for 30 30, with the first two hits being .30-30 Winchester - Wikipedia & 30/30 Poetry. I get the exact same behavior pasting into the search box. So it seems the current default behavior is to treat a malformed URL as a text search.

P.S. T

Re:

[Reziac]

This starts to look like it's somewhere between browser and OS, rather than just in the browser. Or at least requires something from the OS to trigger the bug.

Re:

[Reziac]

Didn't crash Chrome v. 35.0.1916.153 either. It did make it go to my home page, which happens to be about:blank.

SeaMonkey and PaleMoon just did "site not found".
 

I got the golden ticket

[goombah99]

Mine just pulled up website with Larry Paige telling me I got the golden ticket and will am invited to tour the Google Chocolate Factory with my uncle Joe.

Not another a300 crash

[goombah99]

There's a very long record of a300 (== a%%30%30) crashes dating back to 1983. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Cacadril]

There's a very long record of a300 (== a%%30%30) crashes dating back to 1983. https://en.wikipedia.org/wiki/... [wikipedia.org]

Are you sure? I think a%%30%30 becomes a%300 (where the last % has been escaped and is to be taken as a literal %.)

Re:

[pack27]

It doesn't just share Blink; Opera is based completely off of the Chromium source code.

Re:It's not just Chrome

[FatdogHaiku]

It's 2015 and browsers are not properly sanitizing the URL bar?

That's why I'm waiting for the Lysol® browser...
*Lysol® Browser does not sanitize the keyboard or mouse! :-(

Re:It's not just Chrome

[beelsebob]

You mean "It's 2015 and developers still introduce bugs"... and frankly... no fucking shit. Yes, coding is hard. Every time you change code (and I'm sure the URL bar parsing code changes pretty regularly) you stand a chance of introducing a bug.

Re:It's not just Chrome

[bondsbw]

And this is one reason it is so insensible when highly skilled software developers get worried over this idea that everyone is going to get some programming background.

As soon as it hits the fan--and it will--they'll need someone to fix it. And in many cases it will happen over and over and over again, and push costs higher than just hiring someone to do it right to begin with.

I'm not worried.

Re:It's not just Chrome

[fustakrakich]

Every time you change code... you stand a chance of introducing a bug.

Maybe the code doesn't want to change...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:It's not just Chrome

[alvinrod]

They probably do have some regression tests, but who would have written a unit test for an address with 16 characters in it? Some bugs are just so weird that no one even thinks to test for them.

Re:

[Crispy Critters]

URL bar input seems like an obvious place to do fuzz testing. Just throw random stuff at it as fast as you can, and wait for a crash.

Malicious test case development, not just fuzzing

[billstewart]

These days, there's enough spare CPU and virtual machines to throw around to do random-junk fuzzing, but decades ago when I was taking CS100, and we were being taught to never ever ever trust input and always check for corner cases and off-by-ones and other malformed input, we had to run most of our class programs against data sets that were designed to check whether we'd done everything correctly. Maybe your testers won't think of everything, but they ought to be putting as much effort into finding things

Re:

[beelsebob]

In order for a regression test to catch a bug, you need to have either 1) predicted that that bug might occur, and written a test for it, or 2) encountered the bug before and written a test for it.

You can't magically have tests that cover every possible scenario.

Re:

[postmortem]

There are testing techniques that don't require you to test every possible scenario, but, in lack a of simpler them, every independent code condition.

Good testing costs as much as development; if not even more. It also requires skilled testers. So not many companies can afford that. It is just easier if you pay somebody to do it for you - be it offshore team, or a bounty.

Re:

[beelsebob]

There are testing techniques that don't require you to test every possible scenario, but, in lack a of simpler them, every independent code condition.

100% code coverage does not imply that you have 100% coverage of the possible outcomes, for example:

int dereference(int *x) {
return *x;
}

void testDereference() {
int x = 5;
testFrameworkAssertTrue(dereference(x) == 5);
}

This test provides 100% code coverage, but the code will still have undefined behaviour in a whole lot of cases.

The number of people on the internet who think that testing is a substitute for proof and/or that

Re:

[lucm]

The number of people on the internet who think that testing is a substitute for proof and/or that it can magically eliminate all bugs is pretty terrifying.

True. Tests will tell you if something doesn't work, not if it does work.

Automated tests are overrated anyways, they are more like a spell-check than a writing aid. I'd rather have a roomful of nonchalant, untrained users and unleash them on my product than trust the outcome of a series of tests written by biased developers.

Re:It's not just Chrome

[Kjella]

True. Tests will tell you if something doesn't work, not if it does work. Automated tests are overrated anyways, they are more like a spell-check than a writing aid. I'd rather have a roomful of nonchalant, untrained users and unleash them on my product than trust the outcome of a series of tests written by biased developers.

I think you've fundamentally misunderstood the purpose and function of tests. If I realized this code would break in some corner case, I would have handled it. No developer would write code that fails his own tests. Granted, sometimes the process of writing tests aids your understanding but in that case you'd improve the code. That is true even for test-driven design, if you don't fully understand all the conditions that need testing, the test will be flawed or incomplete and the code too. The primary function is to prevent existing, working test cases from breaking by accident. Because let's face it, we're imperfect beings working on imperfect code and I've managed to break my own code plenty of times without realizing it, not to speak of someone else's work. Or we're mashing up modules in a new way using them in ways they were never meant to work, testing is also about verifying assumptions. Also by "work" I mean defined behavior, like if you divide by zero it's not supposed to work but it's supposed to fail in a controlled way. Testing is supposed to preserve behavior when the implementation changes. If it was never planned and tested behavior in the first place, well you're going to find out it changed the hard way.

Re:

[lucm]

I'm sorry, I was unable to read your entire paragraph because of my policy on giving up early on boring stuff but from the few sentences I've managed to handle it seems to me that you're the kind of biased developer whose tests I would trust less than a roomful of nonchalant, untrained users.

Automated tests are truly like spell-check. They are there to catch the easy stuff, not to prevent you from writing stupid things.

I'm fairly confident that people working on Chrome have all the bells and whistles in ter

Re:

[LVSlushdat]

Or have your customers/victims do your testing for you... Looking at YOU, Microsoft...

Re:

[Mostly a lurker]

I strongly suspect this bug was introduced when they changed the code to support international characters in domain names. At that time, many of the old unit tests will have needed revision. Regression testing is great, but not effective when the required functionality is significantly changed. This is a bad bug, but not a criminal one. Good developers have been guilty of worse.

Re:

[interval1066]

yeah, just a dab of regression testing and all bugs are squashed. why don't devs do more regression testing!!?!?!! WHY???

Re:

[ShanghaiBill]

Every time you change code you stand a chance of introducing a bug.

That is why you do automated regression testing [wikipedia.org].

Re:

[FranTaylor]

That is why you do automated regression testing [wikipedia.org].

You don't just "do automated regression testing" Someone has to actually write the regression tests

Re:

[fahrbot-bot]

Yes, coding is hard.

Good coding anyway. Bad coding is apparently pretty fucking easy.

Re:

[JMJimmy]

No, coding is not hard. Testing is tedious and not sexy enough for hot shot coders who don't take pride in their work.

Re:

[lgw]

It's 2015 and browsers are not properly sanitizing the URL bar?

At launch, you could crash Chrome with just 2 characters in the URL bar, so this is progress!

That bug was along the lines of:

    for (size_t i = 0; i < size; i++) { stuff }

Except size was computed as -1, and like i was unsigned, so it got ugly.

Re:

[maugle]

And that is why you don't just ignore your compiler warnings. Comparing signed with unsigned can and will lead to horrible things happening.

Re:

[lgw]

Both i and size were size_t (which is unsigned). The problem was in how size was computed - with the right 2-character string, it was computed as -1, and then that for loop changed the failure mode from a do-nothing bug to a keep-overwriting-memory-until-crash bug.

It's a fundamental security issue in the way the C++ STL containers are implemented, as they all unsigned indexing, leading to this particular failure mode being somewhat common (and memory-overwrite bugs are an attacker's delight).

@Midnight

[Macdude]

New @Midnight game:

Crash a Browser in 16 Characters

Re: @Midnight

[slick7]

Crash a Browser in 16 Characters
Crash an Economy in 3 characters. FRN.

Meanwhile, At Google...

[Greyfox]

"Oh shit! Someone found a buffer overflow in our browser. Someone increase MAX_CHARS for that field to 32!"

"That's ridiculous! No computer can handle 32 things!"

Chromium 45.0.2454.93 Crashes

[Behrooz Amoozad]

[6918:6918:0919/221732:FATAL:navigation_controller_impl.cc(927)] Check failed: active_entry->site_instance() == rfh->GetSiteInstance().
Doesn't crash if the url is passed as an argument. Just opens up about:blank(not default behavior)
4.1.6-1-ARCH x86_64 GNU/Linux

Not if it's old enough.

[jeffb (2.718)]

Apparently I've been neglecting Chrome on this old image for quite a long time. Chrome 21, Mac OS 10.6.8. No crash observed.

Re:

[sims 2]

Chrome 26, Windows xp.
Url does not crash browser but hovering over link does crash tab.

Interesting

[hcs_$reboot]

creating a link <a href="http://something.com/somewhere/%%30%30/sometime">this crashes</a> and hovering the mouse over it crashes!
It seems it's the %%30%30 which causes that (this should be unescaped as "%300").

Re:Interesting

[Chris Mattern]

Actually, it should be unescaped to %00.

Re:

[hcs_$reboot]

Correct, javascript doesn't unescape '%%'=>'%'...

I give this a name

[magsol]

"Browser Golf."

Inconsiderate fool!

[mspohr]

I type //a/%%30%30 all the time! (It's the combination to my luggage)

Re:

[nitehawk214]

I have the same password on my planet's air shield.

Not the URL bar, but the search page?

[Chas]

Okay, put //a/%%30%30 in the URL bar. Didn't crash anything.

Put it in the search box on the default search page and it puked immediately.

45.0.2454.93

I'll bet it's Omnibox

[Spy Handler]

Google calls the URL bar "Omnibox", and it will search Google as soon as you start typing in it. I would suspect this is causing the problem, since a regular (non-Omni) URL bar is a very simple thing.

I went to Settings to disable Omnibox and test my theory. Unfortunately there seems to be no way to disable the Omnibox in Chrome.

Fine here, more-or-less

[seanellis]

Chrome Version 43.0.2357.134 on Linux, just gets me a blank page.

Tried it on Internet Explorer

[JustAnotherOldGuy]

I tried it on Internet Explorer and not only did the browser crash, it billed me for $299.95. Also, every site I browse now appears to be Russian porn.

Re:

[cerberusss]

every site I browse now appears to be Russian porn.

Which apparently includes Slashdot. Is there some Slashdot section I don't know about?

Re:

[93 Escort Wagon]

every site I browse now appears to be Russian porn.

Which apparently includes Slashdot. Is there some Slashdot section I don't know about?

What, you've never seen the "Your Porn Online" section?

Re:

[cerberusss]

What, you've never seen the "Your Porn Online" section?

Does it feature Bennett Haselton and CowboyNeal? :)~

Re:

[JustAnotherOldGuy]

Which apparently includes Slashdot. Is there some Slashdot section I don't know about?

Absolutely, the porn section is the only reason I come here. You didn't think I came here for the articles, did you?

Re:

[thegarbz]

Also, every site I browse now appears to be Russian porn.

Oh please tell me how to do this!

re

[JohnVanVliet]

NO crash with the current chromium on the current opensuse

the website "a/%" fallowed by two zeros is just a bad url and it tossed

Chromium 44 = no crash

[Tough Love]

Chromium Version 44.0.2403.89, Ubuntu 15.04. Changes "http://a/%%30%30" to "chrome://chrome/" and no apparent ill effects, including no crash. There is a reason why it is a good idea to let the Debian/Ubuntu devs do your QA for you.

Re:

[gnasher719]

Interesting message from Safari after pasting the URL:

"Safari can't open the page "a/%25%30%30" because Safari can't find the server "a". "

So it translates % to %25, then %30 to %30 and %30 to %30. Interesting.

Re:

[Tough Love]

You do know that Sid is officially unstable, I hope? Sid _is_ the QA.

Re:

[account_deleted]

Comment removed based on user account deletion

Gee, I tried a 16-character URL and it worked fine

[Guy Harris]

Typing in a 16-character link and hitting enter, clicking on a 16-character link, or even just putting your cursor over a 16-character link, will crash Google's browser.

Gee, I typed in http://sonic.com [sonic.com] and hit Enter, and it worked Just Fine.

Perhaps they meant to say "Typing in a particular 16-character link, clicking on a particular 16-character link, or even just putting your cursor over a particular 16-character link, will crash Google's browser."

Incognito Mode

[Pikoro]

Copy and paste the url into incognito mode will crash all chrome processes, not just the new window. Interesting.

One upper

[PRMan]

I can do it in 15. ftp:// [ftp] works too!

webfonts

[suss]

Not disabling webfonts using the "--disable-remote-fonts" commandline parameter with Chrome under Windows XP will get you random Chrome crashes and even BSODs while visiting Google sites like Youtube.
Seems like an old win32k.sys vulnerability that was supposedly patched in 2009.

What a buggy thing

[lucm]

"Look ma, I've put the chrome in the dishwasher and now it won't facebook, what a piece of crap"

Yes it does crash Chrome ..

[nickweller]

Version 46.0.2490.33 beta (64-bit) ..

Nothing happens.

[MadMaverick9]

I use chromium 34.0.1847.137 and ... nothing happens when I copy/paste that url (yes - I deleted that space).

No Crash. No nothing.

So I guess Google added something to their Chrome that breaks stuff.

Facebook URL Sharing...

[fatp]

Tried to share the URL in FB. It seemed trying to load the link forever. Wonder whether some threads (or whatever request processing mechanism) has crashed :)

Re:

[monkeyhybrid]

To try it yourself, fire up Chrome 45 (the latest stable version) or older [...]

Re:

[HornyBastard]

Version 45.0.2454.93 (64-bit)

Did not crash. Just went back to about:blank

Re:

[frovingslosh]

Yea, 16 characters were not enough for me either. I also had to hit the ENTER key.

Re:

[Lunix Nutcase]

Chrome 44 isn't older than Chrome 45?

Re:Didn't crash...

[Anonymous Coward]

Sure... the older something is, the higher its age... so Chrome 44 is younger than Chrome 45.

Re:

[Opportunist]

If that was German, I'd have a tasteless and really bad joke now. But this being English, the pun on younger/disciple is lost.

Re:

[daniel23]

Komm schon, spucks aus

Re:

[50000BTU_barbecue]

Raises the question. Please.

Re:

[smittyoneeach]

When did you break your pedantrylessness vow?

Re:

[Falos]

I do have to appreciate a rousing game of Troll Solitaire.

Re: Many eyes...

[bistromath007]

It doesn't beg any of those questions. That's not what begging the question is.

Re:

[wonkey_monkey]

Regrettably, it will ultimately mean what people mean it to mean.

Re:

[daniel23]

beggars opera
(opera 32.0.1948.25 on Arch Linux succeeds to crash and restart)

Re:

[sims 2]

Broken link.

Re:

[rwa2]

It's not broken, it's just dumb.

curl -vL http://goo.gl/5WtI0B [goo.gl]
* Ignoring the response-body
* Connection #0 to host goo.gl left intact
* Issue another request to this URL: 'http://a/%2500'
* Could not resolve host: a
* Closing connection 1
curl: (6) Could not resolve host: a

But I couldn't get http://a/%2500 [a] to break any of my browsers, so not sure what to do with that.

Re:

[rwa2]

Oh, I guess goo.gl is probably sanitizing the escape sequence to %2500 , bit.ly does the same thing.

tinyurl.com does not... however it does appear to try to grab the source URL first, so http://tinyurl.com/qekdsr9 [tinyurl.com] just kinda spins forever.

http://preview.tinyurl.com/qek... [tinyurl.com] leads to another page with a link to http://a/%%30%30 , which will crash Chrome if you bother to scroll down and mouseover it.

As some people have sorta mentioned, the mouseover seems to just crash one tab, but actually manually typing it

Re:

[JustAnotherOldGuy]

I'm sure it took a lot of late nights to make it that fragile.

Re:

[gweihir]

Rust cannot fix stupidity. It can add to it though, and from what I have seen of it, it does.

Re:

[gweihir]

All demented fanatics ignore valid criticism.

Re:

[Tough Love]

Teh google used to be #1 on every new grad's hope list. Now #2 and trending down. See, no company can piss all over its public image, disrespect users and flip the finger to the volunteer development community entirely with impunity, not even teh google.

Re:

[93 Escort Wagon]

...just rewrites the url.

... to something more politically correct, no doubt.

Re:

[JMJimmy]

If you consider http://www./ [www.] a.com/ politically correct... just some legacy code that rewrites unknown urls to some of the more common TLDs (.com, .org, etc) in an attempt to find a valid URL that matches. Actually a really crappy thing to do as you can use domains of common base folder names like images.com to pickup traffic from incorrect links so //images/whatever.jpg becomes images.com/whatever.jpg... anyone who clicks that link will end up on the wrong site. It has some great potential for some casua

Re:

[Megane]

Damn, I should've picked up New Folder.com years ago. Maybe Untitled Folder.com is still available?

Re:

[JMJimmy]

Not exactly a common web domain... cgi.com, www.com, images.com, etc. those are fairly common. account.com would have been a great one for phishing.

Re:

[interval1066]

Chrome crashed for me. Did you remove the space between http: & //a/%%30%30?

Re:

[perryizgr8]

Edge doesn't do anything. It's like you didn't even write anything.

Re:

[ExekielS]

reminds me of this [a]

Re:

[Opportunist]

Well, considering the age of the show...