Bug 393832 (CVE-2009-1827)

svg circle with infinite radius causes hang

VERIFIED FIXED

Status

()

Core
SVG
VERIFIED FIXED
10 years ago
8 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: Robert Longson)

Tracking

(4 keywords)

Trunk
hang, regression, testcase, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.9.1 +
blocking1.9.1.1 -
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)

Details

(Whiteboard: [sg:dos])

Attachments

(3 attachments)

Created attachment 278380 [details]
svg circle

svg circle with infinite radius causes hang

<circle cx="100" cy="100" r="200E200" /> 
causes
_cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 

this is kind of dos

(gdb) bt
#0  0xb74c3bd6 in sin () from /lib/i686/libm.so.6
#1  0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64
#2  0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99
#3  0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf, 
    ctm=0xbf9c5620, tolerance=0.10000000000000001)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117
#4  0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=3.1415926535897931, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214
#5  0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, 
    radius=inf, angle_min=0, angle_max=6.2831853071795862, 
    dir=CAIRO_DIRECTION_FORWARD)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192
#6  0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256
#7  0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf, 
    angle1=0, angle2=6.2831853071795862)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578
#8  0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0,
(gdb) next
_arc_max_angle_for_tolerance_normalized (tolerance=0)
    at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100
100         } while (error > tolerance);
(gdb) p error
$1 = 4.246402931726046e-46
(gdb) p tolerance
$2 = 0
(gdb)
(Reporter)

Updated

10 years ago
Component: General → GFX
Product: Firefox → Core
QA Contact: general → general
Regression range is http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-05-01+02%3A00&maxdate=2006-05-01+22%3A00
and seems to points to bug 334999.
Blocks: 334999
OS: Linux → All
Hardware: PC → All

Updated

10 years ago
Whiteboard: sg:?
[sg:nse] [sg:dos?]
Whiteboard: sg:? → [sg:nse] [sg:dos?]
Product: Core → Core Graveyard

Updated

8 years ago
Component: GFX → SVG
Flags: wanted1.9.1+
Product: Core Graveyard → Core
QA Contact: general → general

Updated

8 years ago
Keywords: hang, testcase
Keywords: regression
Whiteboard: [sg:nse] [sg:dos?] → [sg:dos]
Duplicate of this bug: 465615
(Assignee)

Comment 4

8 years ago
Created attachment 379974 [details] [diff] [review]
patch
Assignee: nobody → longsonr
Attachment #379974 - Flags: review?(jwatt)

Updated

8 years ago
Attachment #379974 - Flags: review?(jwatt) → review+
Comment on attachment 379974 [details] [diff] [review]
patch

nice. r=jwatt
(Assignee)

Updated

8 years ago
Blocks: 414782

Updated

8 years ago
Alias: CVE-2009-1827
(Assignee)

Comment 6

8 years ago
checked in http://hg.mozilla.org/mozilla-central/rev/0aea8ddb0189
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Comment 7

8 years ago
Did this miss fixing nsSVGLength? Looks like Length2 was fixed and both SVGNumber and SVGNumber2, but no SVGLength.
(Assignee)

Comment 8

8 years ago
I guess I missed it becasue it doesn't immediately cast the strtod result. Needs another bug raised to fix.
Flags: wanted1.9.0.x+
Flags: blocking1.9.1.1+
Depends on: 503601
Filed bug 503601
afaict the patch checks for *parsing* FP infinity.

|inf| can result from arithmetic operations:

char st[]="10E250";
double d,r;
char *endptr;
d=strtod(st,&endptr); /* != inf */
r=d*d; /* == inf */
(Assignee)

Comment 11

8 years ago
If you see anywhere that occurs in the codebase then raise another bug for it.
Is this ready for 1.9.1.1? Can you please request approval for 1.9.1.1 on a patch that applies?
(Assignee)

Updated

8 years ago
Depends on: 501311
(Assignee)

Comment 13

8 years ago
Created attachment 388419 [details] [diff] [review]
1.9.1 patch
Attachment #388419 - Flags: approval1.9.1.1?
(Assignee)

Comment 14

8 years ago
Note that the 1.9.1 patch includes the bug 501311 nsSVGLength change
blocking1.9.1: --- → .2+
Flags: blocking1.9.1.1+ → blocking1.9.1.1-
Comment on attachment 388419 [details] [diff] [review]
1.9.1 patch

Approved for 1.9.1.2. a=ss for release-drivers

Can you be sure to get a test written for this as well?
Attachment #388419 - Flags: approval1.9.1.1? → approval1.9.1.2+
Flags: in-testsuite?
(Assignee)

Comment 16

8 years ago
The first attachment could be checked into layout/svg/crashtests/393832.svg as a crashtest.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/131947ecddd4

Any testcases will have to go in separately, though.
Keywords: fixed1.9.1
status1.9.1: --- → .2-fixed
Keywords: fixed1.9.1

Comment 18

8 years ago
Verified

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090730 Minefield/3.6a1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
You need to log in before you can comment on or make changes to this bug.