User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 If you place a reference to a 'clipPath' element to a child node of that same 'clipPath' element, and reference it externally as well, the browser instantly crashes. This has the same effect in ASV3.03, as well. Example: <svg xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'> <clipPath id='clipPath_0'> <rect x='10' y='10' width='25' height='25' rx='5' ry='5' fill='none' clip-path='url(#clipPath_0)'/> </clipPath> <rect x='5' y='5' width='35' height='35' fill='red' clip-path='url(#clipPath_0)'/> </svg> Reproducible: Always Steps to Reproduce: 1. Create a file with a circular clipPath reference 2. Make sure you don't mind the browser crashing, and load that file 3. File a bug Actual Results: Browser crashes instantly. Expected Results: Browser should either ignore circular references and show the clipPath on the exernal element, or not display the file and give a warning to the user. I'm not sure this qualifies as a security problem, but since it is such a dramatic effect, and since I provide a test case that could be exploited, I am going to file this as confidential until someone takes a look at it.
In the SVG 1.1 Spec, section 14.3.5 (Establishing a new clipping path), it says: "The 'clipPath' element itself and its child elements do not inherit clipping paths from the ancestors of the 'clipPath' element." So, I don't think the document is in error, but the internal clipPath reference should not be applied.  http://www.w3.org/TR/SVG/masking.html#ClippingPathsEstablishingANewClippingPath
Confirmed with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060115 Firefox/1.6a1. The crash is due to infinite recursion, so it's not a security hole.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
OS: Windows XP → All
Hardware: PC → All
Eric Seidel (IRC MacDome) just tested this and found it to be implemented correctly in Safari. He has filed a testcase: http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg http://trac.webkit.org/dev/browser/trunk/LayoutTests/svg/custom/recursive-clippath.svg?format=txt
Since this now has a public testcase and it's not exploitable I'm clearing the confidential flag to get more visibility on the problem.
Created attachment 211276 [details] [diff] [review] clip loop testing
Assignee: general → tor
Status: NEW → ASSIGNED
Attachment #211276 - Flags: review?(scootermorris)
Created attachment 211286 [details] [diff] [review] warn on loop, fix return for hit test
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Is this crash fix worth taking on the 1.8 branch?
Whiteboard: [sg:dos] → [sg:nse dos]
It's already on the 1.8.1 branch. See bug 339220 comment 14.
Flags: wanted1.8.1.x? → wanted1.8.1.x+
crash test landed http://hg.mozilla.org/mozilla-central/rev/b3f664bf4b20
You need to log in before you can comment on or make changes to this bug.