CSS color-mix() unbounded recursion causes content process stack overflow
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
People
(Reporter: nohsecbug, Unassigned)
Details
(Keywords: ai-involved, reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
|
2.38 KB,
text/html
|
Details |
Description
Deeply nested color-mix() CSS expressions crash the content process via stack overflow. No user interaction required — visiting a page with the malicious CSS is sufficient.
Steps to reproduce:
- Save attached
poc.htmlto disk - Open in Firefox:
firefox --no-remote poc.html - Tab crashes: "Gah. Your tab just crashed."
ASan output (mozilla-central, macOS 26.3, aarch64):
==67075==ERROR: AddressSanitizer: stack-overflow on address 0x00016cf5bff8
#0 cssparser::tokenizer::Tokenizer::next_byte
#1 style::values::specified::color::Color::parse_internal
#2 cssparser::parser::Parser::parse_nested_block
#3 style::values::generics::color::GenericColorMix::parse
#4 style::values::specified::color::Color::parse_internal
... (cycle repeats 100+ times)
SUMMARY: AddressSanitizer: stack-overflow
Root cause: Color::parse_internal() in servo/components/style/values/specified/color.rs dispatches to GenericColorMix::parse() in servo/components/style/values/generics/color.rs, which calls back into Color::parse_internal() for each color argument. No depth limit exists. Input like color-mix(in srgb, color-mix(in srgb, ..., blue), blue) recurses until stack exhaustion.
Suggested fix: Add a depth counter to Color::parse_internal() with a limit of 32. This also fixes light-dark() recursion (same entry point).
Severity: sec-high — reliable zero-click content process crash. All Firefox versions with color-mix() support (111+), all platforms.
URL
(n/a — local HTML file)
|
||
Updated•2 months ago
|
|
||
Comment 1•2 months ago
|
||
I don't crash on macos
|
|
||
Updated•2 months ago
|
Description
•