Closed Bug 1105796 Opened 11 years ago Closed 11 years ago

Billion laughs in SVG displaying (possible OOM?)

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 455100

People

(Reporter: manishearth, Unassigned)

Details

Attachments

(2 files)

SVG file that can crash firefox (don't open in firefox)
1.41 KB, image/svg+xml
Details
Plaintext version
1.41 KB, text/plain
Details
http://en.wikipedia.org/wiki/Billion_laughs SVGs are parsed as XMLs, which are susceptible to vulnerabilities related to entities. Nesting of these entities can cause a denial of service type attack. Firefox, when opening an SVG with nested entities, locks up completely. There is no way to recover, aside from exiting (it also takes up a humongous amount of memory -- the file I've attached took up 4 gig before I killed it -- which means that this ought to cause an OOM on slower computers -- perhaps can be escalated to a buffer overflow or something) Chrome shows a nice "error on line 16 at column 26: Detected an entity reference loop" error when it gets such a file, and pretty much immediately. Perhaps we should use the same heuristics to detect it? [Note: this applies to opening the SVG file as well as fetching it via XHR]
Attached file Plaintext version
DOS/OOM loop, not exploitable so doesn't need to remain private.
Group: core-security
Component: Security → SVG
Product: Firefox → Core
Surprisingly enough, the same OOM doesn't occur for XML feeds being viewed in firefox -- they show an error similar to Chrome.
Is this the same as bug 455100
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: