Closed Bug 351501 Opened 17 years ago Closed 17 years ago

Null deref crash [@ nsSVGUtils::CoordToFloat] with large percentage "stroke-width"

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tommy, Assigned: tor)

Details

(Keywords: fixed1.8.1, verified1.8.0.8)

Attachments

(3 files, 1 obsolete file)

crash testcase
616 bytes, image/svg+xml
Details
use the right content node
1.11 KB, patch
scootermorris
: review+
roc
: superreview+
Details | Diff | Splinter Review
Add bernd's null check and comment
2.41 KB, patch
dveditz
: approval1.8.0.8+
beltzner
: approval1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

A denial of service (null pointer) vulnerability exists within firefox 1.0.5.6 when processig a specially crafted .svg file.  This was tested on OS X 10.4.7 (x86).  Below is a testcase to trigger this issue:

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" baseProfile="full">
<text stroke-width="1234567890%">
</text>
</svg>

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x001b1cdc in nsSVGUtils::CoordToFloat ()
(gdb) bt
#0  0x001b1cdc in nsSVGUtils::CoordToFloat ()
#1  0x00556140 in nsSVGGlyphFrame::GetStrokeWidth ()
#2  0x005563e6 in nsSVGGlyphFrame::GetStrokePaintType ()
#3  0x004d6c30 in nsSVGCairoGlyphGeometry::GetCoveredRegion ()
#4  0x004d5c18 in nsSVGCairoGlyphGeometry::Update ()
#5  0x005558fc in nsSVGGlyphFrame::UpdateGeometry ()
#6  0x0054a1ba in nsSVGTextFrame::UpdateGlyphPositioning ()
#7  0x0054ab07 in nsSVGTextFrame::NotifyRedrawUnsuspended ()
#8  0x0058bb9a in nsSVGOuterSVGFrame::UnsuspendRedraw ()
#9  0x0058c0cd in nsSVGOuterSVGFrame::DidReflow ()
#10 0x00531d0f in CanvasFrame::Reflow ()


Reproducible: Always
Attached image crash testcase 
crash testcase
Assignee: nobody → general
Component: General → SVG
Product: Firefox → Core
QA Contact: general → ian
Summary: Firefox 1.0.5.6 "stroke-width" .svg DoS → Firefox 1.5.0.6 "stroke-width" .svg DoS
Version: unspecified → 1.8 Branch
Attached patch patch (obsolete) — Splinter Review 
do_query can return null...
Comment on attachment 236922 [details] [diff] [review]
patch

this fixes the do_query error but there might be more.
Attachment #236922 - Flags: review?(tor)
Daniel can't we lift the security on this? After all its a plain zero deref
Status: UNCONFIRMED → NEW
Ever confirmed: true
Deja-vu (again).  We've run across this problem before - this is the appropriate fix.
Assignee: general → tor
Attachment #236922 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #236991 - Flags: review?(scootermorris)
Attachment #236922 - Flags: review?(tor)
I think its bad style to not check the return of do_query in other words: http://lxr.mozilla.org/seamonkey/search?string=%3D+do_QueryInterface%28aContent%29
this is the first time I see in layout that a do_query is not verified.
Comment on attachment 236991 [details] [diff] [review]
use the right content node

Yup, yet another glyph parent is not what you think!  Nit: is it worth a comment above the call to CoordToFloat to explain why we're calling mContent->GetParent()?

With that, r=scooter
Attachment #236991 - Flags: review?(scootermorris) → review+
Attachment #236991 - Flags: superreview?(roc)
Comment on attachment 236991 [details] [diff] [review]
use the right content node

I do think you should also check the do_QueryInterface as bernd suggested.
Attachment #236991 - Flags: superreview?(roc) → superreview+
Crash fix, low risk, similar fix has been on trunk since 2006-07-19 (bug 344892).
Attachment #237747 - Flags: approval1.8.1?
Attachment #237747 - Flags: approval1.8.0.8?
Comment on attachment 237747 [details] [diff] [review]
Add bernd's null check and comment

a=beltzner on behalf of 181drivers
Attachment #237747 - Flags: approval1.8.1? → approval1.8.1+
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1
Summary: Firefox 1.5.0.6 "stroke-width" .svg DoS → Null deref crash [@ nsSVGUtils::CoordToFloat] with large percentage "stroke-width"
Group: security
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8+
Comment on attachment 237747 [details] [diff] [review]
Add bernd's null check and comment

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237747 - Flags: approval1.8.0.9? → approval1.8.0.8+
Checked in on MOZILLA_1_8_0_BRANCH.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.0.8
Resolution: --- → FIXED
Verified Fixed for 1.8.0.8 on Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Keywords: fixed1.8.0.8verified1.8.0.8
You need to log in before you can comment on or make changes to this bug.