Closed Bug 441368 Opened 17 years ago Closed 17 years ago

Crash [@ nsSVGFEGaussianBlurElement::SetupPredivide] opening SVG file

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bsterne, Assigned: roc)

References

Details

(Keywords: regression, verified1.9.0.2, Whiteboard: [sg:critical?])

Attachments

(3 files)

testcase crashes trunk
678 bytes, image/svg+xml
Details
Backtrace from SVG crash
55.57 KB, text/plain
Details
fix
834 bytes, patch
longsonr
: review+
MatsPalmgren_bugz
: superreview+
samuel.sidler+old
: approval1.9.0.2+
Details | Diff | Splinter Review
Attached image testcase crashes trunk
Drew Yao from Apple Product Security reported this crash to security@mo. The attached testcase crashes trunk on Mac and Linux (haven't tested it on Windows). I will follow up shortly to attach the stack contents from the Mac crash. From Drew's email: Integer overflow in nsSVGFEGaussianBlurElement::SetupPredivide It does not seem to affect Firefox 2, only Firefox 3. PRUint8 * nsSVGFEGaussianBlurElement::SetupPredivide(PRUint32 size) const { PRUint8 *tmp = new PRUint8[size * 256]; // <-- integer overflow possible here, leading to an unexpectedly small buffer, and memory corruption if (tmp) { for (PRUint32 i = 0; i < 256; i++) memset(tmp + i * size, i, size); } return tmp; } To reproduce: Open the attached 00001596.svg in Firefox 3 in Mac OS X 10.5.3 Intel. It has the line <feGaussianBlur in="SourceAlpha" stdDeviation="2147483648" result="blur"/> Breakpoint 13, nsSVGFEGaussianBlurElement::SetupPredivide (this=0x1c4adaa0, size=2018542109) at /Volumes/data_apps/mozilla/content/svg/content/src/nsSVGFilters.cpp:774 774 PRUint8 *tmp = new PRUint8[size * 256]; (gdb) p size $1001 = 2018542109 (gdb) p/x size $1002 = 0x7850821d (gdb) p/x size * 256 $1003 = 0x50821d00 #smaller than size Process: firefox-bin [55069] Path: /Volumes/data_apps/obj-i386-apple-darwin9.3.0/dist/MinefieldDebug.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 3.0pre (3.0pre) Code Type: X86 (Native) Parent Process: launchd [1] Date/Time: 2008-06-05 16:25:56.043 -0700 OS Version: Mac OS X 10.5.3 (9D34) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000006f4eb000 Crashed Thread: 0 Thread 0 Crashed: 0 libSystem.B.dylib 0xffff06b0 __bzero + 176 1 libgklayout.dylib 0x129ae722 nsSVGFEGaussianBlurElement::SetupPredivide(unsigned int) const + 72 (nsSVGFilters.cpp:776) 2 libgklayout.dylib 0x129b5fb3 nsSVGFEGaussianBlurElement::GaussianBlur(unsigned char*, unsigned char*, nsSVGFilterResource*, unsigned int, unsigned int) + 255 (nsSVGFilters.cpp:828) 3 libgklayout.dylib 0x129c2c63 nsSVGFEGaussianBlurElement::Filter(nsSVGFilterInstance*) + 537 (nsSVGFilters.cpp:896) 4 libgklayout.dylib 0x1296a831 nsSVGFilterFrame::FilterPaint(nsSVGRenderState*, nsISVGChildFrame*) + 4063 (nsSVGFilterFrame.cpp:513) 5 libgklayout.dylib 0x1299034a nsSVGUtils::PaintChildWithEffects(nsSVGRenderState*, nsRect*, nsIFrame*) + 698 (nsSVGUtils.cpp:1378) 6 libgklayout.dylib 0x1297da08 nsSVGOuterSVGFrame::Paint(nsIRenderingContext&, nsRect const&, nsPoint) + 466 (nsSVGOuterSVGFrame.cpp:583) 7 libgklayout.dylib 0x1297dbc6 nsDisplaySVG::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 74 (nsSVGOuterSVGFrame.cpp:466) 8 libgklayout.dylib 0x122c0b91 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 61 (nsDisplayList.cpp:295) 9 libgklayout.dylib 0x122c1dbb nsDisplayWrapList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 41 (nsDisplayList.cpp:694) 10 libgklayout.dylib 0x122c2a50 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 128 (nsDisplayList.cpp:888) ...
Whiteboard: [sg:critical?]
A simple fix would be something like: if (size > UINT_MAX / 256) return NULL;
Gavin or Dan, do you know who could take this?
Looks like this code was added with bug 399488
Assignee: nobody → jwatt
Blocks: 399488
Keywords: regression
Flags: wanted1.8.1.x-
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
It's not very exploitable since we fill the buffer with only N 0s, N 1s, N 2s, ... N 255s. But I'll patch it.
This is not a problem on trunk since I've already removed this code and replaced it with a better approach (that doesn't allocate).
Flags: blocking1.9.1? → blocking1.9.1-
Attached patch fixSplinter Review
Simple stuff.
Assignee: jwatt → roc
Status: NEW → ASSIGNED
Attachment #328775 - Flags: superreview?(mats.palmgren)
Attachment #328775 - Flags: review?(longsonr)
Attachment #328775 - Flags: review?(longsonr) → review+
Comment on attachment 328775 [details] [diff] [review] fix sr=mats
Attachment #328775 - Flags: superreview?(mats.palmgren) → superreview+
Version: unspecified → 1.9.0 Branch
Comment on attachment 328775 [details] [diff] [review] fix Approved for 1.9.0.2. Please land in CVS. a=ss We should also get this in the testsuite...
Attachment #328775 - Flags: approval1.9.0.2? → approval1.9.0.2+
Flags: in-testsuite?
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Checked into 1.9.0 with test. I also landed the test on trunk, changeset b936f6ac877d.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite? → in-testsuite+
Keywords: fixed1.9.0.2
Resolution: --- → FIXED
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2pre) Gecko/2008082004 GranParadiso/3.0.2pre. No crash using the testcase.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.2verified1.9.0.2
Group: core-security
for future reference, this is CVE-2008-4064
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: