Closed Bug 465615 Opened 16 years ago Closed 15 years ago

Very long Radius value for CIRCLE attribute in SVG results in DoS Condition

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 393832

People

(Reporter: thierry, Unassigned)

Details

(Keywords: hang, Whiteboard: [sg:dos])

Attachments

(1 file)

SVG Proof of Concept
243 bytes, application/xhtml+xml
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

r='1.79769313486231E+308' 

Reproducible: Always

Steps to Reproduce:
1.Open attached file
2.
3.
Actual Results:  
Consumes lots of ressources and not longer response to user input
Attached file SVG Proof of Concept 
Component: Security → SVG
Product: Firefox → Core
QA Contact: firefox → general

    
    

    
  
Might be a cairo bug rather than SVG (seems to be looping in libthebes), but I can definitely confirm the DoS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Whiteboard: [sg:dos]

    
    

    
  
Any action planed on this (would see this as a low risk issue)

    
    

    
  
personally, i intend to open this bug to the public unless someone gives me a reason not to.

DoS isn't critical, there are many ways to do that, and if the user kills their firefox, they can uncheck the tab when they restore. if session restore doesn't have a good enough way for users to incrementally load pages then that's a bug in session restore.

a bug like this is more likely to be fixed by being visible to more people than by leaving it in a closet.

    
    

    
  
I do not oppose to that, no other vendor is affected. Denial of Service is a vulnerability, depends on where the application or code is being it might be very
critical. Unlikely but possible.

Anyways: I hereby set the disclosure date to the 15th of January.
-> http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy


Regards,
Thierry

    
    

    
  
Is there any significant difference between this and bug 393832?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE

    
    

    
  
The bug is marked as resolved, is there a patch?

    
    

    
  
It has been marked as a duplicate of a bug that hasn't been fixed yet.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: