All users were logged out of Bugzilla on October 13th, 2018
616 bytes, image/svg+xml
1.11 KB, patch
|Details | Diff | Splinter Review|
2.41 KB, patch
|Details | Diff | Splinter Review|
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:188.8.131.52) Gecko/20060728 Firefox/184.108.40.206 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:220.127.116.11) Gecko/20060728 Firefox/18.104.22.168 A denial of service (null pointer) vulnerability exists within firefox 22.214.171.124 when processig a specially crafted .svg file. This was tested on OS X 10.4.7 (x86). Below is a testcase to trigger this issue: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" baseProfile="full"> <text stroke-width="1234567890%"> </text> </svg> Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x001b1cdc in nsSVGUtils::CoordToFloat () (gdb) bt #0 0x001b1cdc in nsSVGUtils::CoordToFloat () #1 0x00556140 in nsSVGGlyphFrame::GetStrokeWidth () #2 0x005563e6 in nsSVGGlyphFrame::GetStrokePaintType () #3 0x004d6c30 in nsSVGCairoGlyphGeometry::GetCoveredRegion () #4 0x004d5c18 in nsSVGCairoGlyphGeometry::Update () #5 0x005558fc in nsSVGGlyphFrame::UpdateGeometry () #6 0x0054a1ba in nsSVGTextFrame::UpdateGlyphPositioning () #7 0x0054ab07 in nsSVGTextFrame::NotifyRedrawUnsuspended () #8 0x0058bb9a in nsSVGOuterSVGFrame::UnsuspendRedraw () #9 0x0058c0cd in nsSVGOuterSVGFrame::DidReflow () #10 0x00531d0f in CanvasFrame::Reflow () Reproducible: Always
Assignee: nobody → general
Component: General → SVG
Product: Firefox → Core
QA Contact: general → ian
Summary: Firefox 126.96.36.199 "stroke-width" .svg DoS → Firefox 188.8.131.52 "stroke-width" .svg DoS
Version: unspecified → 1.8 Branch
Comment on attachment 236922 [details] [diff] [review] patch this fixes the do_query error but there might be more.
Daniel can't we lift the security on this? After all its a plain zero deref
Status: UNCONFIRMED → NEW
Ever confirmed: true
Created attachment 236991 [details] [diff] [review] use the right content node Deja-vu (again). We've run across this problem before - this is the appropriate fix.
I think its bad style to not check the return of do_query in other words: http://lxr.mozilla.org/seamonkey/search?string=%3D+do_QueryInterface%28aContent%29 this is the first time I see in layout that a do_query is not verified.
Comment on attachment 236991 [details] [diff] [review] use the right content node Yup, yet another glyph parent is not what you think! Nit: is it worth a comment above the call to CoordToFloat to explain why we're calling mContent->GetParent()? With that, r=scooter
Attachment #236991 - Flags: review?(scootermorris) → review+
Comment on attachment 236991 [details] [diff] [review] use the right content node I do think you should also check the do_QueryInterface as bernd suggested.
Attachment #236991 - Flags: superreview?(roc) → superreview+
Created attachment 237747 [details] [diff] [review] Add bernd's null check and comment Crash fix, low risk, similar fix has been on trunk since 2006-07-19 (bug 344892).
Comment on attachment 237747 [details] [diff] [review] Add bernd's null check and comment a=beltzner on behalf of 181drivers
Attachment #237747 - Flags: approval1.8.1? → approval1.8.1+
Checked in on MOZILLA_1_8_BRANCH.
Summary: Firefox 184.108.40.206 "stroke-width" .svg DoS → Null deref crash [@ nsSVGUtils::CoordToFloat] with large percentage "stroke-width"
Comment on attachment 237747 [details] [diff] [review] Add bernd's null check and comment approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237747 - Flags: approval220.127.116.11? → approval18.104.22.168+
Checked in on MOZILLA_1_8_0_BRANCH.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Verified Fixed for 22.214.171.124 on Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:126.96.36.199) Gecko/20061025 Firefox/188.8.131.52
Keywords: fixed184.108.40.206 → verified220.127.116.11
You need to log in before you can comment on or make changes to this bug.