Last Comment Bug 393832 - (CVE-2009-1827) svg circle with infinite radius causes hang
(CVE-2009-1827)
: svg circle with infinite radius causes hang
Status: VERIFIED FIXED
[sg:dos]
: hang, regression, testcase, verified1.9.1
Product: Core
Classification: Components
Component: SVG (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Robert Longson
:
: Jet Villegas (:jet)
Mentors:
: 465615 (view as bug list)
Depends on: 501311 503601
Blocks: 334999 414782
  Show dependency treegraph
 
Reported: 2007-08-27 01:24 PDT by georgi - hopefully not receiving bugspam
Modified: 2009-07-30 15:51 PDT (History)
16 users (show)
jwatt: wanted1.9.1+
mbeltzner: blocking1.9.1.1-
dveditz: wanted1.9.0.x+
samuel.sidler+old: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2+
.2-fixed


Attachments
svg circle (292 bytes, text/xml)
2007-08-27 01:24 PDT, georgi - hopefully not receiving bugspam
no flags Details
patch (11.62 KB, patch)
2009-05-27 15:04 PDT, Robert Longson
jwatt: review+
Details | Diff | Splinter Review
1.9.1 patch (14.25 KB, patch)
2009-07-13 23:11 PDT, Robert Longson
samuel.sidler+old: approval1.9.1.2+
Details | Diff | Splinter Review

Description georgi - hopefully not receiving bugspam 2007-08-27 01:24:19 PDT
Created attachment 278380 [details]
svg circle

svg circle with infinite radius causes hang

<circle cx="100" cy="100" r="200E200" /> 
causes
_cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 

this is kind of dos

(gdb) bt
#0  0xb74c3bd6 in sin () from /lib/i686/libm.so.6
#1  0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64
#2  0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99
#3  0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf, 
    ctm=0xbf9c5620, tolerance=0.10000000000000001)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117
#4  0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214
#5  0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=6.2831853071795862, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192
#6  0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256
#7  0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578
#8  0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0,
(gdb) next
_arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100
100         } while (error > tolerance);
(gdb) p error
$1 = 4.246402931726046e-46
(gdb) p tolerance
$2 = 0
(gdb)
Comment 1 Ria Klaassen (not reading all bugmail) 2007-08-27 11:53:34 PDT
Regression range is http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-05-01+02%3A00&maxdate=2006-05-01+22%3A00
and seems to points to bug 334999.
Comment 2 georgi - hopefully not receiving bugspam 2008-02-01 00:13:24 PST
[sg:nse] [sg:dos?]
Comment 3 Daniel Veditz [:dveditz] 2009-05-26 17:23:02 PDT
*** Bug 465615 has been marked as a duplicate of this bug. ***
Comment 4 Robert Longson 2009-05-27 15:04:57 PDT
Created attachment 379974 [details] [diff] [review]
patch
Comment 5 Jonathan Watt [:jwatt] 2009-05-27 16:41:23 PDT
Comment on attachment 379974 [details] [diff] [review]
patch

nice. r=jwatt
Comment 6 Robert Longson 2009-06-17 17:27:41 PDT
checked in http://hg.mozilla.org/mozilla-central/rev/0aea8ddb0189
Comment 7 Craig Topper 2009-06-29 19:53:21 PDT
Did this miss fixing nsSVGLength? Looks like Length2 was fixed and both SVGNumber and SVGNumber2, but no SVGLength.
Comment 8 Robert Longson 2009-06-29 23:50:33 PDT
I guess I missed it becasue it doesn't immediately cast the strtod result. Needs another bug raised to fix.
Comment 9 Daniel Veditz [:dveditz] 2009-07-10 15:34:20 PDT
Filed bug 503601
Comment 10 georgi - hopefully not receiving bugspam 2009-07-11 05:21:07 PDT
afaict the patch checks for *parsing* FP infinity.

|inf| can result from arithmetic operations:

char st[]="10E250";
double d,r;
char *endptr;
d=strtod(st,&endptr); /* != inf */
r=d*d; /* == inf */
Comment 11 Robert Longson 2009-07-11 08:09:39 PDT
If you see anywhere that occurs in the codebase then raise another bug for it.
Comment 12 Samuel Sidler (old account; do not CC) 2009-07-13 15:09:50 PDT
Is this ready for 1.9.1.1? Can you please request approval for 1.9.1.1 on a patch that applies?
Comment 13 Robert Longson 2009-07-13 23:11:44 PDT
Created attachment 388419 [details] [diff] [review]
1.9.1 patch
Comment 14 Robert Longson 2009-07-13 23:12:41 PDT
Note that the 1.9.1 patch includes the bug 501311 nsSVGLength change
Comment 15 Samuel Sidler (old account; do not CC) 2009-07-21 17:10:38 PDT
Comment on attachment 388419 [details] [diff] [review]
1.9.1 patch

Approved for 1.9.1.2. a=ss for release-drivers

Can you be sure to get a test written for this as well?
Comment 16 Robert Longson 2009-07-21 23:26:09 PDT
The first attachment could be checked into layout/svg/crashtests/393832.svg as a crashtest.
Comment 17 Joe Drew (not getting mail) 2009-07-29 11:35:49 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/131947ecddd4

Any testcases will have to go in separately, though.
Comment 18 Kevin Brosnan 2009-07-30 15:51:16 PDT
Verified

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090730 Minefield/3.6a1pre

Note You need to log in before you can comment on or make changes to this bug.