Last Comment Bug 360645 - Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow
: Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow
Status: RESOLVED FIXED
[sg:critical?] 1.8.1(x)-only
: regression, verified1.8.1.2
Product: Core
Classification: Components
Component: SVG (show other bugs)
: 1.8 Branch
: All All
: -- critical (vote)
: ---
Assigned To: Vladimir Vukicevic [:vlad] [:vladv]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-14 00:22 PST by Tom Ferris
Modified: 2007-03-26 17:14 PDT (History)
11 users (show)
dveditz: blocking1.8.1.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (197 bytes, image/svg+xml)
2006-11-14 00:24 PST, Tom Ferris
no flags Details
clamp the num_vertices to a sane value (1.07 KB, patch)
2007-01-16 12:46 PST, Vladimir Vukicevic [:vlad] [:vladv]
tor: review+
jaymoz: approval1.8.1.2+
Details | Diff | Review

Description Tom Ferris 2006-11-14 00:22:58 PST
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1

Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow

Versions Affected:
Firefox 2.0

Platforms Affected:
Apple Mac OSX 10.4 and prior
Windows XP
Linux

Overview:
When processing a specially crafted .svg file, this will cause firefox to crash.  This allows for an attacker to cause firefox to crash, and or to execute arbitrary code (probably a tough one) on a targeted host.

Technical Details:
The following SVG code below will reproduce this issue:

		<clipPath  stroke-width="2000000000000000" color="1" >
			<line>
			</line>
		</clipPath>

Below is the crash when running firefox within gdb on OSX 10.4.7

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x45b4f010
0x007d62c5 in _cairo_pen_init ()
(gdb) bt
#0  0x007d62c5 in _cairo_pen_init ()
#1  0x00712635 in _cairo_gstate_stroke_extents ()
#2  0x0050e219 in cairo_stroke_extents ()
#3  0x004f30b0 in nsSVGCairoPathGeometry::GetCoveredRegion ()
#4  0x004f324d in nsSVGCairoPathGeometry::Update ()
#5  0x007ae1bc in nsSVGPathGeometryFrame::UpdateGraphic ()
#6  0x007ae3f2 in nsSVGPathGeometryFrame::NotifyRedrawUnsuspended ()
#7  0x006529ab in nsSVGDefsFrame::NotifyRedrawUnsuspended ()
#8  0x0069abee in nsSVGOuterSVGFrame::UnsuspendRedraw ()
#9  0x0069b121 in nsSVGOuterSVGFrame::DidReflow ()
#10 0x0063f84f in CanvasFrame::Reflow ()
#11 0x0044a58c in nsContainerFrame::ReflowChild ()
#12 0x00680234 in nsHTMLScrollFrame::ReflowScrolledFrame ()
#13 0x0068040a in nsHTMLScrollFrame::ReflowContents ()
#14 0x006820fe in nsHTMLScrollFrame::Reflow ()

-- snip --






Reproducible: Always
Comment 1 Tom Ferris 2006-11-14 00:24:13 PST
Created attachment 245544 [details]
testcase
Comment 2 chris hofmann 2006-11-14 06:52:02 PST
Tom,  we should start out these SVG bugs with assignment to product=core component=svg  

user agent shows trunk.  is this trunk and firefox 2.0?

thanks
Comment 3 Tom Ferris 2006-11-14 20:44:23 PST
(In reply to comment #2)
> Tom,  we should start out these SVG bugs with assignment to product=core
> component=svg  
> 
> user agent shows trunk.  is this trunk and firefox 2.0?
> 
> thanks
> 

Hi Chris,

When I initially filed the bug, I wasn't able to select Core/SVG.  Also, this affects 2.0 and not 3.0.  Sorry for the user agent confusion.
Comment 4 Daniel Veditz [:dveditz] 2006-12-11 03:21:18 PST
FF 1.5.0.8 does not crash (on windows). FF2 and 2.0.0.1 do.
Comment 5 Daniel Veditz [:dveditz] 2006-12-11 12:45:15 PST
TB27170889 (FF2.0)
TB27171253 (FF2.0.0.1 rc1)

Same stacks as comment 0
Comment 6 Vladimir Vukicevic [:vlad] [:vladv] 2007-01-05 21:05:17 PST
Easiest way to fix this is to clamp the final pen stroke width; do any SVG folks have an idea of an appropriate value?
Comment 7 Carl Worth 2007-01-05 21:53:50 PST
(In reply to comment #6)
> Easiest way to fix this is to clamp the final pen stroke width; do any SVG
> folks have an idea of an appropriate value?

Without reference to the SVG specification or anything, I would guess that
as soon as the stroke width is more than 2 (or 10 or whatever) times the
window size or so that there can't be anything all that useful being displayed
anymore.
Comment 8 Tom Ferris 2007-01-05 22:52:00 PST
yeah, I think that 5 times the window size is sufficient.. 
Comment 9 Jay Patel [:jay] 2007-01-12 16:05:47 PST
Vlad:  Could you whip up a patch with the recommended value from Tom?  If not, please find a new owner (maybe tor can help?)
Comment 10 Vladimir Vukicevic [:vlad] [:vladv] 2007-01-12 16:09:38 PST
The problem is that we have no way of getting the window size from anywhere near that code; tor would probably be a better owner for this, if it needs to be fixed at a higher level than that.  I was thinking of clamping to some hardcoded value like 8192 (which, really, will be greater than 5* most people's window sizes).
Comment 11 Vladimir Vukicevic [:vlad] [:vladv] 2007-01-16 12:46:49 PST
Created attachment 251677 [details] [diff] [review]
clamp the num_vertices to a sane value

This fixes the problem; I don't /think/ it will cause any other svg problems -- I clam to 64k vertices for the pen, which should be more than enough for most sane uses.
Comment 12 Vladimir Vukicevic [:vlad] [:vladv] 2007-01-17 10:39:44 PST
Comment on attachment 251677 [details] [diff] [review]
clamp the num_vertices to a sane value

Low impact, shouldn't break anything.
Comment 13 Jay Patel [:jay] 2007-01-17 15:22:26 PST
Comment on attachment 251677 [details] [diff] [review]
clamp the num_vertices to a sane value

Approved for 1.8 branch, a=jay for drivers.
Comment 14 Vladimir Vukicevic [:vlad] [:vladv] 2007-01-17 16:40:19 PST
Checked in to 1.8 branch.
Comment 15 alice nodelman [:alice] [:anode] 2007-01-30 14:29:41 PST
Using provided testcase confirmed existence of bug on 2.0.0.1.

Verified fixed for 2.0.0.2pre - testcase runs and does not crash.

Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2pre) Gecko/2007013007 BonEcho/2.0.0.2pre
Comment 19 Daniel Veditz [:dveditz] 2007-03-01 11:30:22 PST
Filed bug 372193 on the new issue noted in comment 16-18
Comment 20 Daniel Veditz [:dveditz] 2007-03-26 17:14:43 PDT
Don't know where I got that bug number. It's really bug 372285

Note You need to log in before you can comment on or make changes to this bug.