Closed Bug 393832 (CVE-2009-1827) Opened 17 years ago Closed 16 years ago

svg circle with infinite radius causes hang

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: guninski, Assigned: longsonr)

References

Details

(4 keywords, Whiteboard: [sg:dos])

Attachments

(3 files)

svg circle
292 bytes, text/xml
Details
patch
11.62 KB, patch
jwatt
: review+
Details | Diff | Splinter Review
1.9.1 patch
14.25 KB, patch
samuel.sidler+old
: approval1.9.1.2+
Details | Diff | Splinter Review
Attached file svg circle
svg circle with infinite radius causes hang <circle cx="100" cy="100" r="200E200" /> causes _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, radius=inf, angle_min=0, angle_max=3.1415926535897931, this is kind of dos (gdb) bt #0 0xb74c3bd6 in sin () from /lib/i686/libm.so.6 #1 0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64 #2 0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99 #3 0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf, ctm=0xbf9c5620, tolerance=0.10000000000000001) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117 #4 0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, radius=inf, angle_min=0, angle_max=3.1415926535897931, dir=CAIRO_DIRECTION_FORWARD) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214 #5 0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100, radius=inf, angle_min=0, angle_max=6.2831853071795862, dir=CAIRO_DIRECTION_FORWARD) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192 #6 0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf, angle1=0, angle2=6.2831853071795862) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256 #7 0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf, angle1=0, angle2=6.2831853071795862) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578 #8 0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0, (gdb) next _arc_max_angle_for_tolerance_normalized (tolerance=0) at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100 100 } while (error > tolerance); (gdb) p error $1 = 4.246402931726046e-46 (gdb) p tolerance $2 = 0 (gdb)
Component: General → GFX
Product: Firefox → Core
QA Contact: general → general
Whiteboard: sg:?
[sg:nse] [sg:dos?]
Whiteboard: sg:? → [sg:nse] [sg:dos?]
Product: Core → Core Graveyard
Component: GFX → SVG
Flags: wanted1.9.1+
Product: Core Graveyard → Core
QA Contact: general → general
Keywords: hang, testcase
Keywords: regression
Whiteboard: [sg:nse] [sg:dos?] → [sg:dos]
Attached patch patchSplinter Review
Assignee: nobody → longsonr
Attachment #379974 - Flags: review?(jwatt)
Attachment #379974 - Flags: review?(jwatt) → review+
Comment on attachment 379974 [details] [diff] [review] patch nice. r=jwatt
Blocks: 414782
Alias: CVE-2009-1827
checked in http://hg.mozilla.org/mozilla-central/rev/0aea8ddb0189
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Did this miss fixing nsSVGLength? Looks like Length2 was fixed and both SVGNumber and SVGNumber2, but no SVGLength.
I guess I missed it becasue it doesn't immediately cast the strtod result. Needs another bug raised to fix.
Flags: wanted1.9.0.x+
Flags: blocking1.9.1.1+
Depends on: 503601
afaict the patch checks for *parsing* FP infinity. |inf| can result from arithmetic operations: char st[]="10E250"; double d,r; char *endptr; d=strtod(st,&endptr); /* != inf */ r=d*d; /* == inf */
If you see anywhere that occurs in the codebase then raise another bug for it.
Is this ready for 1.9.1.1? Can you please request approval for 1.9.1.1 on a patch that applies?
Depends on: 501311
Attached patch 1.9.1 patchSplinter Review
Attachment #388419 - Flags: approval1.9.1.1?
Note that the 1.9.1 patch includes the bug 501311 nsSVGLength change
blocking1.9.1: --- → .2+
Flags: blocking1.9.1.1+ → blocking1.9.1.1-
Comment on attachment 388419 [details] [diff] [review] 1.9.1 patch Approved for 1.9.1.2. a=ss for release-drivers Can you be sure to get a test written for this as well?
Attachment #388419 - Flags: approval1.9.1.1? → approval1.9.1.2+
Flags: in-testsuite?
The first attachment could be checked into layout/svg/crashtests/393832.svg as a crashtest.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/131947ecddd4 Any testcases will have to go in separately, though.
Keywords: fixed1.9.1
Verified Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090730 Minefield/3.6a1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: