Closed Bug 323704 Opened 20 years ago Closed 20 years ago

Circular reference in 'clipPath' crashes browser instantly

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: doug, Assigned: tor)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse dos])

Attachments

(1 file, 1 obsolete file)

warn on loop, fix return for hit test
3.30 KB, patch
scootermorris
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 If you place a reference to a 'clipPath' element to a child node of that same 'clipPath' element, and reference it externally as well, the browser instantly crashes. This has the same effect in ASV3.03, as well. Example: <svg xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'> <clipPath id='clipPath_0'> <rect x='10' y='10' width='25' height='25' rx='5' ry='5' fill='none' clip-path='url(#clipPath_0)'/> </clipPath> <rect x='5' y='5' width='35' height='35' fill='red' clip-path='url(#clipPath_0)'/> </svg> Reproducible: Always Steps to Reproduce: 1. Create a file with a circular clipPath reference 2. Make sure you don't mind the browser crashing, and load that file 3. File a bug Actual Results: Browser crashes instantly. Expected Results: Browser should either ignore circular references and show the clipPath on the exernal element, or not display the file and give a warning to the user. I'm not sure this qualifies as a security problem, but since it is such a dramatic effect, and since I provide a test case that could be exploited, I am going to file this as confidential until someone takes a look at it.
In the SVG 1.1 Spec, section 14.3.5 (Establishing a new clipping path), it says: "The 'clipPath' element itself and its child elements do not inherit clipping paths from the ancestors of the 'clipPath' element." So, I don't think the document is in error, but the internal clipPath reference should not be applied. [1] http://www.w3.org/TR/SVG/masking.html#ClippingPathsEstablishingANewClippingPath
Confirmed with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060115 Firefox/1.6a1. The crash is due to infinite recursion, so it's not a security hole.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
OS: Windows XP → All
Hardware: PC → All
Eric Seidel (IRC MacDome) just tested this and found it to be implemented correctly in Safari. He has filed a testcase: http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg?format=txt
Group: security
Since this now has a public testcase and it's not exploitable I'm clearing the confidential flag to get more visibility on the problem.
URL: http://trac.webkit.org/dev/browser/tr...
Whiteboard: [sg:dos]
Attached patch clip loop testing (obsolete) — Splinter Review
Assignee: general → tor
Status: NEW → ASSIGNED
Attachment #211276 - Flags: review?(scootermorris)
Attachment #211276 - Attachment is obsolete: true
Attachment #211286 - Flags: review?(scootermorris)
Attachment #211276 - Flags: review?(scootermorris)
Attachment #211286 - Flags: review?(scootermorris) → review+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Group: security
Is this crash fix worth taking on the 1.8 branch?
Flags: wanted1.8.1.x?
Whiteboard: [sg:dos] → [sg:nse dos]
It's already on the 1.8.1 branch. See bug 339220 comment 14.
Flags: wanted1.8.1.x? → wanted1.8.1.x+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: