User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a1) Gecko/20061113 Minefield/3.0a1 Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow Versions Affected: Firefox 2.0 Platforms Affected: Apple Mac OSX 10.4 and prior Windows XP Linux Overview: When processing a specially crafted .svg file, this will cause firefox to crash. This allows for an attacker to cause firefox to crash, and or to execute arbitrary code (probably a tough one) on a targeted host. Technical Details: The following SVG code below will reproduce this issue: <clipPath stroke-width="2000000000000000" color="1" > <line> </line> </clipPath> Below is the crash when running firefox within gdb on OSX 10.4.7 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x45b4f010 0x007d62c5 in _cairo_pen_init () (gdb) bt #0 0x007d62c5 in _cairo_pen_init () #1 0x00712635 in _cairo_gstate_stroke_extents () #2 0x0050e219 in cairo_stroke_extents () #3 0x004f30b0 in nsSVGCairoPathGeometry::GetCoveredRegion () #4 0x004f324d in nsSVGCairoPathGeometry::Update () #5 0x007ae1bc in nsSVGPathGeometryFrame::UpdateGraphic () #6 0x007ae3f2 in nsSVGPathGeometryFrame::NotifyRedrawUnsuspended () #7 0x006529ab in nsSVGDefsFrame::NotifyRedrawUnsuspended () #8 0x0069abee in nsSVGOuterSVGFrame::UnsuspendRedraw () #9 0x0069b121 in nsSVGOuterSVGFrame::DidReflow () #10 0x0063f84f in CanvasFrame::Reflow () #11 0x0044a58c in nsContainerFrame::ReflowChild () #12 0x00680234 in nsHTMLScrollFrame::ReflowScrolledFrame () #13 0x0068040a in nsHTMLScrollFrame::ReflowContents () #14 0x006820fe in nsHTMLScrollFrame::Reflow () -- snip -- Reproducible: Always
Tom, we should start out these SVG bugs with assignment to product=core component=svg user agent shows trunk. is this trunk and firefox 2.0? thanks
(In reply to comment #2) > Tom, we should start out these SVG bugs with assignment to product=core > component=svg > > user agent shows trunk. is this trunk and firefox 2.0? > > thanks > Hi Chris, When I initially filed the bug, I wasn't able to select Core/SVG. Also, this affects 2.0 and not 3.0. Sorry for the user agent confusion.
FF 184.108.40.206 does not crash (on windows). FF2 and 220.127.116.11 do.
TB27170889 (FF2.0) TB27171253 (FF18.104.22.168 rc1) Same stacks as comment 0
Easiest way to fix this is to clamp the final pen stroke width; do any SVG folks have an idea of an appropriate value?
(In reply to comment #6) > Easiest way to fix this is to clamp the final pen stroke width; do any SVG > folks have an idea of an appropriate value? Without reference to the SVG specification or anything, I would guess that as soon as the stroke width is more than 2 (or 10 or whatever) times the window size or so that there can't be anything all that useful being displayed anymore.
yeah, I think that 5 times the window size is sufficient..
Vlad: Could you whip up a patch with the recommended value from Tom? If not, please find a new owner (maybe tor can help?)
The problem is that we have no way of getting the window size from anywhere near that code; tor would probably be a better owner for this, if it needs to be fixed at a higher level than that. I was thinking of clamping to some hardcoded value like 8192 (which, really, will be greater than 5* most people's window sizes).
Created attachment 251677 [details] [diff] [review] clamp the num_vertices to a sane value This fixes the problem; I don't /think/ it will cause any other svg problems -- I clam to 64k vertices for the pen, which should be more than enough for most sane uses.
Comment on attachment 251677 [details] [diff] [review] clamp the num_vertices to a sane value Low impact, shouldn't break anything.
Comment on attachment 251677 [details] [diff] [review] clamp the num_vertices to a sane value Approved for 1.8 branch, a=jay for drivers.
Checked in to 1.8 branch.
Using provided testcase confirmed existence of bug on 22.214.171.124. Verified fixed for 126.96.36.199pre - testcase runs and does not crash. Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:188.8.131.52pre) Gecko/2007013007 BonEcho/184.108.40.206pre
Don't know where I got that bug number. It's really bug 372285