Closed
Bug 393832
(CVE-2009-1827)
Opened 17 years ago
Closed 16 years ago
svg circle with infinite radius causes hang
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
VERIFIED
FIXED
People
(Reporter: guninski, Assigned: longsonr)
References
Details
(4 keywords, Whiteboard: [sg:dos])
Attachments
(3 files)
292 bytes,
text/xml
|
Details | |
11.62 KB,
patch
|
jwatt
:
review+
|
Details | Diff | Splinter Review |
14.25 KB,
patch
|
samuel.sidler+old
:
approval1.9.1.2+
|
Details | Diff | Splinter Review |
svg circle with infinite radius causes hang
<circle cx="100" cy="100" r="200E200" />
causes
_cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=3.1415926535897931,
this is kind of dos
(gdb) bt
#0 0xb74c3bd6 in sin () from /lib/i686/libm.so.6
#1 0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64
#2 0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99
#3 0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf,
ctm=0xbf9c5620, tolerance=0.10000000000000001)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117
#4 0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=3.1415926535897931,
dir=CAIRO_DIRECTION_FORWARD)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214
#5 0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=6.2831853071795862,
dir=CAIRO_DIRECTION_FORWARD)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192
#6 0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf,
angle1=0, angle2=6.2831853071795862)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256
#7 0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf,
angle1=0, angle2=6.2831853071795862)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578
#8 0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0,
(gdb) next
_arc_max_angle_for_tolerance_normalized (tolerance=0)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100
100 } while (error > tolerance);
(gdb) p error
$1 = 4.246402931726046e-46
(gdb) p tolerance
$2 = 0
(gdb)
Reporter | ||
Updated•17 years ago
|
Component: General → GFX
Product: Firefox → Core
QA Contact: general → general
Comment 1•17 years ago
|
||
Regression range is http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-05-01+02%3A00&maxdate=2006-05-01+22%3A00
and seems to points to bug 334999.
Updated•17 years ago
|
Whiteboard: sg:?
Updated•16 years ago
|
Product: Core → Core Graveyard
Updated•16 years ago
|
Component: GFX → SVG
Flags: wanted1.9.1+
Product: Core Graveyard → Core
QA Contact: general → general
Updated•16 years ago
|
Updated•16 years ago
|
Keywords: regression
Whiteboard: [sg:nse] [sg:dos?] → [sg:dos]
Assignee | ||
Comment 4•16 years ago
|
||
Assignee: nobody → longsonr
Attachment #379974 -
Flags: review?(jwatt)
Updated•16 years ago
|
Attachment #379974 -
Flags: review?(jwatt) → review+
Comment 5•16 years ago
|
||
Comment on attachment 379974 [details] [diff] [review]
patch
nice. r=jwatt
Updated•16 years ago
|
Alias: CVE-2009-1827
Assignee | ||
Comment 6•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 7•16 years ago
|
||
Did this miss fixing nsSVGLength? Looks like Length2 was fixed and both SVGNumber and SVGNumber2, but no SVGLength.
Assignee | ||
Comment 8•16 years ago
|
||
I guess I missed it becasue it doesn't immediately cast the strtod result. Needs another bug raised to fix.
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.1.1+
Comment 9•15 years ago
|
||
Filed bug 503601
Reporter | ||
Comment 10•15 years ago
|
||
afaict the patch checks for *parsing* FP infinity.
|inf| can result from arithmetic operations:
char st[]="10E250";
double d,r;
char *endptr;
d=strtod(st,&endptr); /* != inf */
r=d*d; /* == inf */
Assignee | ||
Comment 11•15 years ago
|
||
If you see anywhere that occurs in the codebase then raise another bug for it.
Comment 12•15 years ago
|
||
Is this ready for 1.9.1.1? Can you please request approval for 1.9.1.1 on a patch that applies?
Assignee | ||
Comment 13•15 years ago
|
||
Attachment #388419 -
Flags: approval1.9.1.1?
Assignee | ||
Comment 14•15 years ago
|
||
Note that the 1.9.1 patch includes the bug 501311 nsSVGLength change
Updated•15 years ago
|
blocking1.9.1: --- → .2+
Flags: blocking1.9.1.1+ → blocking1.9.1.1-
Comment 15•15 years ago
|
||
Comment on attachment 388419 [details] [diff] [review]
1.9.1 patch
Approved for 1.9.1.2. a=ss for release-drivers
Can you be sure to get a test written for this as well?
Attachment #388419 -
Flags: approval1.9.1.1? → approval1.9.1.2+
Updated•15 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 16•15 years ago
|
||
The first attachment could be checked into layout/svg/crashtests/393832.svg as a crashtest.
Comment 17•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/131947ecddd4
Any testcases will have to go in separately, though.
Keywords: fixed1.9.1
Updated•15 years ago
|
status1.9.1:
--- → .2-fixed
Keywords: fixed1.9.1
Comment 18•15 years ago
|
||
Verified
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090730 Minefield/3.6a1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•