Closed
Bug 183986
Opened 22 years ago
Closed 13 years ago
Width wraps to negative value using CSS
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 265084
People
(Reporter: security-bugs, Assigned: dbaron)
Details
(Whiteboard: [sg:want])
Attachments
(1 file)
350 bytes,
text/html
|
Details |
From Georgi, potential security problem: Attached file css2.html uses width: 1073741952px; which wraps to negative value and the console gives the following - ----------- ###!!! ASSERTION: Negative Width Input - very bad: 'mComputedWidth>=0', file nsHTMLReflowState.cpp, line 2729 Break: at file nsHTMLReflowState.cpp, line 2729 ------------- Probably this is not exploitable, but negative values can lead to problems. Probably large values with CSS may lead to problems in the future.
Reporter | ||
Comment 1•22 years ago
|
||
Comment 2•22 years ago
|
||
cc'ing layout people for threat prognosis. seems just like an innocent bug to me though.
Comment 3•22 years ago
|
||
cc'ing some mozilla regulars who watch the people i cc'ed last time
Comment 4•22 years ago
|
||
Another strange behavior is the following: ---------- <style type="text/css"> img { position: relative; border: thick solid; color: red; width: 65535px; height: 65535px; } </style> Large css values. Check the console. <img src="poweredby.png"> ---------- mozilla displays large scrollbars, the image is not shown, the console gave strange things. Some times after several reloads, the content area displays garbage. I may be wrong, but an image with size 65535x65535 cannot be handled correctly on 32 bit x86. The same test on konqueror shows very small image with borders but no scrollbars. Also mozilla does not seem to consume so much memory in this case which kind of surprise me.
Assignee | ||
Comment 5•22 years ago
|
||
What's the security risk of bugs like this? Incorrect handling of memory allocation failures? If so, then security problems are extremely unlikely in core layout, but possible in image handling.
Comment 6•22 years ago
|
||
Not only memory alocation. Another problem may be passing negative values to memcpy() and such. The apache chunked bug turned exploitable on at least windoze and *bsd.
Assignee | ||
Comment 7•22 years ago
|
||
But all the problems relate to using the numbers that wrap as sizes of things in memory (whether allocations, parameters to memcpy, etc.)? So if we never use widths as sizes we're OK?
Reporter | ||
Comment 8•22 years ago
|
||
How hard would this be to fix? If it's straghtforward, it's probably better to fix it first, analyze the risk later.
Reporter | ||
Comment 9•21 years ago
|
||
Let's try to get this fixed by 1.4 final, just to be safe.
Assignee | ||
Comment 10•21 years ago
|
||
Not unless somebody can give me a definition of fixed such that there is reason to believe that there may be a security problem that is more likely to be fixed with the assertion gone than with the assertion present.
Reporter | ||
Comment 11•21 years ago
|
||
dbaron, you know better than I do. If you think there's no security problem here, please uncheck the Security-Sensitive flag.
Comment 12•21 years ago
|
||
dbaron, can you take one last look at this and if you don't see the security problem then let's take the security closed status off.
Assignee | ||
Updated•17 years ago
|
QA Contact: ian → style-system
Comment 13•17 years ago
|
||
sounds like sg:low or no security problem here. updating whiteboard
Whiteboard: sg:low
Updated•17 years ago
|
Whiteboard: sg:low → [sg:low]
Comment 14•13 years ago
|
||
Will be fixed by bug 575011 or bug 265084, or by using more the "saturating arithmetic" functions such as NSCoordSaturatingAdd in more places.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:low] → [sg:want]
You need to log in
before you can comment on or make changes to this bug.
Description
•