Closed
Bug 503601
Opened 16 years ago
Closed 16 years ago
nsSVGLength missed in fix for bug 393832
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 501311
People
(Reporter: dveditz, Assigned: longsonr)
References
Details
+++ This bug was initially created as a clone of Bug #393832 +++
"svg circle with infinite radius causes hang"
The fix for bug 393832 fixed nsSVGLength2 but missed the same issue in nsSVGLength -- not sure it could DoS in the same way but it's the same pattern. Credit to Craig Topper for noticing (bug 393832 comment 7)
<circle cx="100" cy="100" r="200E200" />
causes
_cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=3.1415926535897931,
this is kind of dos
(gdb) bt
#0 0xb74c3bd6 in sin () from /lib/i686/libm.so.6
#1 0xb6223915 in _arc_error_normalized (angle=1.6922030997455189e-07)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:64
#2 0xb6223a21 in _arc_max_angle_for_tolerance_normalized (tolerance=0)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:99
#3 0xb6223aa7 in _arc_segments_needed (angle=3.1415926535897931, radius=inf,
ctm=0xbf9c5620, tolerance=0.10000000000000001)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:117
#4 0xb6223dca in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=3.1415926535897931,
dir=CAIRO_DIRECTION_FORWARD)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:214
#5 0xb6223ce2 in _cairo_arc_in_direction (cr=0x8e3a560, xc=100, yc=100,
radius=inf, angle_min=0, angle_max=6.2831853071795862,
dir=CAIRO_DIRECTION_FORWARD)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:192
#6 0xb6223ec3 in _cairo_arc_path (cr=0x8e3a560, xc=100, yc=100, radius=inf,
angle1=0, angle2=6.2831853071795862)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:256
#7 0xb6221e81 in _moz_cairo_arc (cr=0x8e3a560, xc=100, yc=100, radius=inf,
angle1=0, angle2=6.2831853071795862)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo.c:1578
#8 0xb61ff54c in gfxContext::Arc (this=0xbf9c5974, center=@0xbf9c58b0,
(gdb) next
_arc_max_angle_for_tolerance_normalized (tolerance=0)
at /opt/joro/firefox-cvs/mozilla/gfx/cairo/cairo/src/cairo-arc.c:100
100 } while (error > tolerance);
(gdb) p error
$1 = 4.246402931726046e-46
(gdb) p tolerance
$2 = 0
(gdb)
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
|
Reporter | |
Comment 1•16 years ago
|
||
Please ignore the stack info above, it's from bug 393832 and was scrolled out of view when I cloned the bug.
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•16 years ago
|
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
|
||
Updated•10 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•