Closed Bug 465615 Opened 16 years ago Closed 16 years ago

Very long Radius value for CIRCLE attribute in SVG results in DoS Condition

Categories

(Core :: SVG, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 393832

People

(Reporter: thierry, Unassigned)

Details

(Keywords: hang, Whiteboard: [sg:dos])

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 r='1.79769313486231E+308' Reproducible: Always Steps to Reproduce: 1.Open attached file 2. 3. Actual Results: Consumes lots of ressources and not longer response to user input
Attached file SVG Proof of Concept
Component: Security → SVG
Product: Firefox → Core
QA Contact: firefox → general
Might be a cairo bug rather than SVG (seems to be looping in libthebes), but I can definitely confirm the DoS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Whiteboard: [sg:dos]
Any action planed on this (would see this as a low risk issue)
personally, i intend to open this bug to the public unless someone gives me a reason not to. DoS isn't critical, there are many ways to do that, and if the user kills their firefox, they can uncheck the tab when they restore. if session restore doesn't have a good enough way for users to incrementally load pages then that's a bug in session restore. a bug like this is more likely to be fixed by being visible to more people than by leaving it in a closet.
I do not oppose to that, no other vendor is affected. Denial of Service is a vulnerability, depends on where the application or code is being it might be very critical. Unlikely but possible. Anyways: I hereby set the disclosure date to the 15th of January. -> http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy Regards, Thierry
Is there any significant difference between this and bug 393832?
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
The bug is marked as resolved, is there a patch?
It has been marked as a duplicate of a bug that hasn't been fixed yet.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: