Circular reference in 'clipPath' crashes browser instantly

RESOLVED FIXED

Status

()

Core
SVG
--
critical
RESOLVED FIXED
12 years ago
9 years ago

People

(Reporter: Doug Schepers, Assigned: tor)

Tracking

({crash, testcase})

Trunk
crash, testcase
Points:
---
Bug Flags:
wanted1.8.1.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse dos], URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

If you place a reference to a 'clipPath' element to a child node of that same 'clipPath' element, and reference it externally as well, the browser instantly crashes. This has the same effect in ASV3.03, as well.

Example:
<svg xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'>

   <clipPath id='clipPath_0'>
      <rect x='10' y='10' width='25' height='25' rx='5' ry='5' fill='none' clip-path='url(#clipPath_0)'/>
   </clipPath>

   <rect x='5' y='5' width='35' height='35' fill='red' clip-path='url(#clipPath_0)'/>

</svg>

Reproducible: Always

Steps to Reproduce:
1. Create a file with a circular clipPath reference
2. Make sure you don't mind the browser crashing, and load that file
3. File a bug

Actual Results:  
Browser crashes instantly.

Expected Results:  
Browser should either ignore circular references and show the clipPath on the exernal element, or not display the file and give a warning to the user.

I'm not sure this qualifies as a security problem, but since it is such a dramatic effect, and since I provide a test case that could be exploited, I am going to file this as confidential until someone takes a look at it.
(Reporter)

Comment 1

12 years ago
In the SVG 1.1 Spec, section 14.3.5 (Establishing a new clipping path), it says:

"The 'clipPath' element itself and its child elements do not inherit clipping paths from the ancestors of the 'clipPath' element."

So, I don't think the document is in error, but the internal clipPath reference should not be applied.

[1] http://www.w3.org/TR/SVG/masking.html#ClippingPathsEstablishingANewClippingPath

Comment 2

12 years ago
Confirmed with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060115 Firefox/1.6a1.

The crash is due to infinite recursion, so it's not a security hole.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
OS: Windows XP → All
Hardware: PC → All
(Reporter)

Comment 3

12 years ago
Eric Seidel (IRC MacDome) just tested this and found it to be implemented correctly in Safari. He has filed a testcase:

http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg
http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg?format=txt
(Assignee)

Updated

12 years ago
Group: security
Since this now has a public testcase and it's not exploitable I'm clearing the confidential flag to get more visibility on the problem.
(Assignee)

Comment 5

12 years ago
Created attachment 211276 [details] [diff] [review]
clip loop testing
Assignee: general → tor
Status: NEW → ASSIGNED
Attachment #211276 - Flags: review?(scootermorris)
(Assignee)

Comment 6

12 years ago
Created attachment 211286 [details] [diff] [review]
warn on loop, fix return for hit test
Attachment #211276 - Attachment is obsolete: true
Attachment #211286 - Flags: review?(scootermorris)
Attachment #211276 - Flags: review?(scootermorris)

Updated

12 years ago
Attachment #211286 - Flags: review?(scootermorris) → review+
(Assignee)

Comment 7

12 years ago
Checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Group: security
Is this crash fix worth taking on the 1.8 branch?
Flags: wanted1.8.1.x?
Whiteboard: [sg:dos] → [sg:nse dos]
It's already on the 1.8.1 branch. See bug 339220 comment 14.
Flags: wanted1.8.1.x? → wanted1.8.1.x+

Comment 10

9 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/b3f664bf4b20
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.