Closed Bug 503601 Opened 15 years ago Closed 15 years ago

nsSVGLength missed in fix for bug 393832

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 501311

People

(Reporter: dveditz, Assigned: longsonr)

References

Details

+++ This bug was initially created as a clone of Bug #393832 +++
"svg circle with infinite radius causes hang"

The fix for bug 393832 fixed nsSVGLength2 but missed the same issue in nsSVGLength -- not sure it could DoS in the same way but it's the same pattern. Credit to Craig Topper for noticing (bug 393832 comment 7)





<circle cx="100" cy="100" r="200E200" /> 
causes
_cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 

this is kind of dos

(gdb) bt
#0  0xb74c3bd6 in sin () from /lib/i686/libm.so.6
#1  0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64
#2  0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99
#3  0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf, 
    ctm=0xbf9c5620, tolerance=0.10000000000000001)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117
#4  0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214
#5  0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=6.2831853071795862, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192
#6  0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256
#7  0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578
#8  0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0,
(gdb) next
_arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100
100         } while (error > tolerance);
(gdb) p error
$1 = 4.246402931726046e-46
(gdb) p tolerance
$2 = 0
(gdb)
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Please ignore the stack info above, it's from bug 393832 and was scrolled out of view when I cloned the bug.
Keywords: hang, regression, testcasetestcase-wanted
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
You need to log in before you can comment on or make changes to this bug.