Closed
Bug 351501
Opened 17 years ago
Closed 17 years ago
Null deref crash [@ nsSVGUtils::CoordToFloat] with large percentage "stroke-width"
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tommy, Assigned: tor)
Details
(Keywords: fixed1.8.1, verified1.8.0.8)
Attachments
(3 files, 1 obsolete file)
616 bytes,
image/svg+xml
|
Details | |
1.11 KB,
patch
|
scootermorris
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
2.41 KB,
patch
|
dveditz
:
approval1.8.0.8+
beltzner
:
approval1.8.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 A denial of service (null pointer) vulnerability exists within firefox 1.0.5.6 when processig a specially crafted .svg file. This was tested on OS X 10.4.7 (x86). Below is a testcase to trigger this issue: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" baseProfile="full"> <text stroke-width="1234567890%"> </text> </svg> Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x001b1cdc in nsSVGUtils::CoordToFloat () (gdb) bt #0 0x001b1cdc in nsSVGUtils::CoordToFloat () #1 0x00556140 in nsSVGGlyphFrame::GetStrokeWidth () #2 0x005563e6 in nsSVGGlyphFrame::GetStrokePaintType () #3 0x004d6c30 in nsSVGCairoGlyphGeometry::GetCoveredRegion () #4 0x004d5c18 in nsSVGCairoGlyphGeometry::Update () #5 0x005558fc in nsSVGGlyphFrame::UpdateGeometry () #6 0x0054a1ba in nsSVGTextFrame::UpdateGlyphPositioning () #7 0x0054ab07 in nsSVGTextFrame::NotifyRedrawUnsuspended () #8 0x0058bb9a in nsSVGOuterSVGFrame::UnsuspendRedraw () #9 0x0058c0cd in nsSVGOuterSVGFrame::DidReflow () #10 0x00531d0f in CanvasFrame::Reflow () Reproducible: Always
Reporter | ||
Comment 1•17 years ago
|
||
crash testcase
Updated•17 years ago
|
Assignee: nobody → general
Component: General → SVG
Product: Firefox → Core
QA Contact: general → ian
Summary: Firefox 1.0.5.6 "stroke-width" .svg DoS → Firefox 1.5.0.6 "stroke-width" .svg DoS
Version: unspecified → 1.8 Branch
Comment on attachment 236922 [details] [diff] [review] patch this fixes the do_query error but there might be more.
Attachment #236922 -
Flags: review?(tor)
Daniel can't we lift the security on this? After all its a plain zero deref
Status: UNCONFIRMED → NEW
Ever confirmed: true
Deja-vu (again). We've run across this problem before - this is the appropriate fix.
Assignee: general → tor
Attachment #236922 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #236991 -
Flags: review?(scootermorris)
Attachment #236922 -
Flags: review?(tor)
I think its bad style to not check the return of do_query in other words: http://lxr.mozilla.org/seamonkey/search?string=%3D+do_QueryInterface%28aContent%29 this is the first time I see in layout that a do_query is not verified.
Comment 7•17 years ago
|
||
Comment on attachment 236991 [details] [diff] [review] use the right content node Yup, yet another glyph parent is not what you think! Nit: is it worth a comment above the call to CoordToFloat to explain why we're calling mContent->GetParent()? With that, r=scooter
Attachment #236991 -
Flags: review?(scootermorris) → review+
Attachment #236991 -
Flags: superreview?(roc)
Comment on attachment 236991 [details] [diff] [review] use the right content node I do think you should also check the do_QueryInterface as bernd suggested.
Attachment #236991 -
Flags: superreview?(roc) → superreview+
Crash fix, low risk, similar fix has been on trunk since 2006-07-19 (bug 344892).
Attachment #237747 -
Flags: approval1.8.1?
Attachment #237747 -
Flags: approval1.8.0.8?
Comment 10•17 years ago
|
||
Comment on attachment 237747 [details] [diff] [review] Add bernd's null check and comment a=beltzner on behalf of 181drivers
Attachment #237747 -
Flags: approval1.8.1? → approval1.8.1+
Updated•17 years ago
|
Summary: Firefox 1.5.0.6 "stroke-width" .svg DoS → Null deref crash [@ nsSVGUtils::CoordToFloat] with large percentage "stroke-width"
Updated•17 years ago
|
Group: security
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Updated•17 years ago
|
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8+
Comment 12•17 years ago
|
||
Comment on attachment 237747 [details] [diff] [review] Add bernd's null check and comment approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237747 -
Flags: approval1.8.0.9? → approval1.8.0.8+
Assignee | ||
Comment 13•17 years ago
|
||
Checked in on MOZILLA_1_8_0_BRANCH.
Comment 14•17 years ago
|
||
Verified Fixed for 1.8.0.8 on Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Keywords: fixed1.8.0.8 → verified1.8.0.8
You need to log in
before you can comment on or make changes to this bug.
Description
•