Closed
Bug 360645
Opened 18 years ago
Closed 18 years ago
Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tommy, Assigned: vlad)
Details
(Keywords: regression, verified1.8.1.2, Whiteboard: [sg:critical?] 1.8.1(x)-only)
Attachments
(2 files)
197 bytes,
image/svg+xml
|
Details | |
1.07 KB,
patch
|
tor
:
review+
jay
:
approval1.8.1.2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1 Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow Versions Affected: Firefox 2.0 Platforms Affected: Apple Mac OSX 10.4 and prior Windows XP Linux Overview: When processing a specially crafted .svg file, this will cause firefox to crash. This allows for an attacker to cause firefox to crash, and or to execute arbitrary code (probably a tough one) on a targeted host. Technical Details: The following SVG code below will reproduce this issue: <clipPath stroke-width="2000000000000000" color="1" > <line> </line> </clipPath> Below is the crash when running firefox within gdb on OSX 10.4.7 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x45b4f010 0x007d62c5 in _cairo_pen_init () (gdb) bt #0 0x007d62c5 in _cairo_pen_init () #1 0x00712635 in _cairo_gstate_stroke_extents () #2 0x0050e219 in cairo_stroke_extents () #3 0x004f30b0 in nsSVGCairoPathGeometry::GetCoveredRegion () #4 0x004f324d in nsSVGCairoPathGeometry::Update () #5 0x007ae1bc in nsSVGPathGeometryFrame::UpdateGraphic () #6 0x007ae3f2 in nsSVGPathGeometryFrame::NotifyRedrawUnsuspended () #7 0x006529ab in nsSVGDefsFrame::NotifyRedrawUnsuspended () #8 0x0069abee in nsSVGOuterSVGFrame::UnsuspendRedraw () #9 0x0069b121 in nsSVGOuterSVGFrame::DidReflow () #10 0x0063f84f in CanvasFrame::Reflow () #11 0x0044a58c in nsContainerFrame::ReflowChild () #12 0x00680234 in nsHTMLScrollFrame::ReflowScrolledFrame () #13 0x0068040a in nsHTMLScrollFrame::ReflowContents () #14 0x006820fe in nsHTMLScrollFrame::Reflow () -- snip -- Reproducible: Always
Reporter | ||
Comment 1•18 years ago
|
||
Updated•18 years ago
|
Component: File Handling → SVG
Product: Firefox → Core
Version: unspecified → 1.0 Branch
Comment 2•18 years ago
|
||
Tom, we should start out these SVG bugs with assignment to product=core component=svg user agent shows trunk. is this trunk and firefox 2.0? thanks
Reporter | ||
Comment 3•18 years ago
|
||
(In reply to comment #2) > Tom, we should start out these SVG bugs with assignment to product=core > component=svg > > user agent shows trunk. is this trunk and firefox 2.0? > > thanks > Hi Chris, When I initially filed the bug, I wasn't able to select Core/SVG. Also, this affects 2.0 and not 3.0. Sorry for the user agent confusion.
Comment 4•18 years ago
|
||
FF 1.5.0.8 does not crash (on windows). FF2 and 2.0.0.1 do.
Assignee: nobody → vladimir
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.1.2+
Keywords: regression
Whiteboard: [sg:critical?] 1.8.1-only
Version: 1.0 Branch → 1.8 Branch
Comment 5•18 years ago
|
||
TB27170889 (FF2.0) TB27171253 (FF2.0.0.1 rc1) Same stacks as comment 0
Whiteboard: [sg:critical?] 1.8.1-only → [sg:critical?] 1.8.1(x)-only
Assignee | ||
Comment 6•18 years ago
|
||
Easiest way to fix this is to clamp the final pen stroke width; do any SVG folks have an idea of an appropriate value?
Comment 7•18 years ago
|
||
(In reply to comment #6) > Easiest way to fix this is to clamp the final pen stroke width; do any SVG > folks have an idea of an appropriate value? Without reference to the SVG specification or anything, I would guess that as soon as the stroke width is more than 2 (or 10 or whatever) times the window size or so that there can't be anything all that useful being displayed anymore.
Reporter | ||
Comment 8•18 years ago
|
||
yeah, I think that 5 times the window size is sufficient..
Updated•18 years ago
|
Whiteboard: [sg:critical?] 1.8.1(x)-only → [sg:critical?] 1.8.1(x)-only; need patch
Comment 9•18 years ago
|
||
Vlad: Could you whip up a patch with the recommended value from Tom? If not, please find a new owner (maybe tor can help?)
Assignee | ||
Comment 10•18 years ago
|
||
The problem is that we have no way of getting the window size from anywhere near that code; tor would probably be a better owner for this, if it needs to be fixed at a higher level than that. I was thinking of clamping to some hardcoded value like 8192 (which, really, will be greater than 5* most people's window sizes).
Assignee | ||
Comment 11•18 years ago
|
||
This fixes the problem; I don't /think/ it will cause any other svg problems -- I clam to 64k vertices for the pen, which should be more than enough for most sane uses.
Attachment #251677 -
Flags: review?(tor)
Attachment #251677 -
Flags: review?(tor) → review+
Assignee | ||
Comment 12•18 years ago
|
||
Comment on attachment 251677 [details] [diff] [review] clamp the num_vertices to a sane value Low impact, shouldn't break anything.
Attachment #251677 -
Flags: approval1.8.1.2?
Comment 13•18 years ago
|
||
Comment on attachment 251677 [details] [diff] [review] clamp the num_vertices to a sane value Approved for 1.8 branch, a=jay for drivers.
Attachment #251677 -
Flags: approval1.8.1.2? → approval1.8.1.2+
Assignee | ||
Comment 14•18 years ago
|
||
Checked in to 1.8 branch.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] 1.8.1(x)-only; need patch → [sg:critical?] 1.8.1(x)-only; fixed1.8.1
Assignee | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?] 1.8.1(x)-only; fixed1.8.1 → [sg:critical?] 1.8.1(x)-only; fixed1.8.1.2
Updated•18 years ago
|
Keywords: fixed1.8.1.2
Whiteboard: [sg:critical?] 1.8.1(x)-only; fixed1.8.1.2 → [sg:critical?] 1.8.1(x)-only
Comment 15•18 years ago
|
||
Using provided testcase confirmed existence of bug on 2.0.0.1. Verified fixed for 2.0.0.2pre - testcase runs and does not crash. Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2pre) Gecko/2007013007 BonEcho/2.0.0.2pre
Keywords: fixed1.8.1.2 → verified1.8.1.2
Updated•17 years ago
|
Group: security
Comment 19•17 years ago
|
||
Filed bug 372193 on the new issue noted in comment 16-18
Comment 20•17 years ago
|
||
Don't know where I got that bug number. It's really bug 372285
You need to log in
before you can comment on or make changes to this bug.
Description
•