Closed Bug 656244 Opened 13 years ago Closed 13 years ago

Crash when a malformed SVG is included in a page [@ mozilla::imagelib::SVGDocumentWrapper::GetWidthOrHeight ]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla7
Tracking Flags:
Tracking Status
firefox5 - ---
firefox6 - ---
firefox7 --- fixed
status1.9.2 --- unaffected

People

(Reporter: aki.helin, Assigned: dholbert)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(4 files)

svg file causing odd behavior
144.31 KB, image/svg+xml
Details
testcase (needs to be downloaded locally, along w/ SVG file, to work)
24 bytes, text/html
Details
Screenshot right before crash
31.88 KB, image/png
Details
fix v1
1.32 KB, patch
hsivonen
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Firefox crashes when the attached HTML page is opened. The page includes one SVG file as an image.

Reproducible: Sometimes

Steps to Reproduce:
1. $ firefox test.html
2. reload the page a few times

Actual Results:  
Firefox crashes.

Expected Results:  
Firefox remains running.

I tried a few variants of this and only got a null deref. Opening just the SVG file causes either a circle being drawn or an error. Firefox seems to crash only when the image is included on another page.

Crash report @ https://crash-stats.mozilla.com/report/index/bp-ec7915a8-fe06-41bd-87d2-3cc042110511

    
    

    
  
0 	libxul.so 	mozilla::imagelib::SVGDocumentWrapper::GetWidthOrHeight 	modules/libpr0n/src/SVGDocumentWrapper.cpp:113
1 	libxul.so 	mozilla::imagelib::VectorImage::GetWidth 	modules/libpr0n/src/VectorImage.cpp:313
2 		@0xacb2f09b 	
3 	libxul.so 	nsImageFrame::UpdateIntrinsicSize 	layout/generic/nsImageFrame.cpp:309
4 	libxul.so 	nsImageFrame::EnsureIntrinsicSizeAndRatio 	layout/generic/nsImageFrame.cpp:718
5 	libxul.so 	nsImageFrame::ComputeSize 	layout/generic/nsImageFrame.cpp:746
6 	libxul.so 	nsHTMLReflowState::InitConstraints 	layout/generic/nsHTMLReflowState.cpp:1849
7 	libxul.so 	nsHTMLReflowState::Init 	layout/generic/nsHTMLReflowState.cpp:284
8 	libxul.so 	nsLineLayout::ReflowFrame 	jstl.h:350
9 	libxul.so 	nsBlockFrame::ReflowInlineFrame 	layout/generic/nsBlockFrame.cpp:3811
10 	libxul.so 	nsBlockFrame::DoReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3607
11 	libxul.so 	nsBlockFrame::ReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3466
12 	libxul.so 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2562
13 	libxul.so 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1999
14 	libxul.so 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:1080
15 	libxul.so 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:297
16 	libxul.so 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3184
17 	libxul.so 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2506
18 	libxul.so 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1999
19 	libxul.so 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:1080
20 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:740
21 	libxul.so 	nsCanvasFrame::Reflow 	layout/generic/nsCanvasFrame.cpp:494
22 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:740
23 	libxul.so 	nsHTMLScrollFrame::ReflowScrolledFrame 	layout/generic/nsGfxScrollFrame.cpp:535
24 	libxul.so 	nsHTMLScrollFrame::ReflowContents 	layout/generic/nsGfxScrollFrame.cpp:627
25 	libxul.so 	nsHTMLScrollFrame::Reflow 	layout/generic/nsGfxScrollFrame.cpp:868
26 	libxul.so 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:740
27 	libxul.so 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:293
28 	libxul.so 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7897
29 	libxul.so 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:8036
30 	libxul.so 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4916
31 	libxul.so 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:326
32 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
33 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:517
34 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
35 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
36 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
37 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
38 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:202
39 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
40 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:220
41 		@0xb76877b3 	
42 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3786
43 	firefox-bin 	main 	nsBrowserApp.cpp:158
44 	libc-2.11.2.so 	libc-2.11.2.so@0x16c75 	
45 	firefox-bin 	firefox-bin@0x1390 	
46 	firefox-bin 	Output 	nsBrowserApp.cpp:77
47 		@0x1
Keywords: crash
Summary: crash at mozilla::imagelib::SVGDocumentWrapper::GetWidthOrHeight → Crash when a malformed SVG is included in a page [@ mozilla::imagelib::SVGDocumentWrapper::GetWidthOrHeight ]
Version: unspecified → 4.0 Branch

    
    

    
  
Works for me so far (no crash, but also no image viewed).
Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110510 Firefox/6.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

I've also tried to view just the SVG image in some programs, but they all issue an error message similar to:
[13:54:07.797] mismatched tag. Expected: </animateColor>. @ file:///home/user1/Downloads/trigger.svg:3063

But of course, Firefox should not crash even with a malformed image file.
Component: General → Layout: Images
Product: Firefox → Core
QA Contact: general → layout.images
Version: 4.0 Branch → unspecified

    
    

    
  
How easy is it for you to reproduce the crash?

Aki, are you able to reproduced the crash when running Firefox in Safe Mode?
(The crash report shows that your profile doesn't have a lot of extensions, but anyway...)
https://support.mozilla.com/en-US/kb/Safe+Mode

How about with a new, empty profile?
https://support.mozilla.com/en-US/kb/Basic+Troubleshooting#w_8-make-a-new-profile

    
    

    
  
The crash happens in safe mode and with a blank profile. This is mainly a fuzzing/testing machine so there shouldn't be any funny customizations.

The crash rarely happens on first load, but it almost always happens on first or second reload.

    
    

    
  
Ah, this behaves like a race condition. The included test SVG file did not trigger this on another faster machine, but it is easily reproducible after adding 100 more of the repeating 11-line section. The other machine is similar to the one above (also Debian 6.0.1, i686, Firefox 4.0.1) but with Intel Core 2 Duo instead of an Atom.

    
    

    
  
Reproduced with a new clean profile, pressing F5 until crash.
Build identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0) Gecko/20100101 Firefox/4.0
bp-2594a28b-de9e-4d5f-b997-798602110511

This is on a laptop, weaker than the workstation I used in comment 4.

    
    

    
  
(In reply to comment #7)
>..., but it is easily reproducible after adding 100 more of the repeating
>11-line section. 

Do you mean that you have created a test file with 101 lines of "<img src="trigger.svg">"?

    
    

    
  
I meant editing just the SVG file and repeating the section:
   <script><![CDATA[SVGDoc=document;//]]></script>
   <defs id="DEF">
   <linearGradient id="rhue" x1="0" x2="100" y1="100" y2="0" gradientUnits="userSpaceOnUse">
      <stop offset="0" id="ro0" style="stop-color: red"/>
      <stop offset=".25" id="ro1" style="stop-color: blue"/>
      <stop offset=".75" id="ro2" style="stop-color: yellow"/>
      <stop offset="1" id="ro3" style="stop-color: green"/>
   </linearGradient></defs>
   <g transform="translate(0 50)">
      <ellipse cx="290" cy="200" rx="80" ry="80">
      <animateColor attri="http://www.w3.org/1999/xlink">

100 more times. 1000 didn't work for me, but with 100 this reproduced several times with 1 or 2 reloads. Apparently when there is trouble ahead, instead of a broken image picture there is a partially shown parsing error message or a blank yellow box (background of the error message?) when there is no crash.

    
    

    
  
I eventually manged to crash Firefox on my powerful workstation as well, but I had to use stressapptest to make the computer a bit dizzy. :-)
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
bp-aeb84886-49cc-4e55-9199-15b3c2110511

    
    

    
  
(In reply to comment #10)
> Apparently when there is trouble ahead,
> instead of a broken image picture there is a partially shown parsing error
> message or a blank yellow box (background of the error message?) when there
> is no crash.

Interesting, I also saw the yellow box flash shortly before the crash, by estimate the size of the error message I get when I look at the image directly. I could not see any text in it, but it was visible a very short moment so I may have missed it.

    
    

    
  
Alternative repro that might work better on desktop supercomputers:
 $ perl -e 'print "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n\n", "<defs> <linearGradient id=\"rhue\" x1=\"0\" x2=\"100\" y1=\"100\" y2=\"0\"> <stop style=\"stop-color: red\"/> </linearGradient></defs> <ellipse cx=\"290\" cy=\"200\" rx=\"80\" ry=\"80\"> <animateColor attri=\"http://www.w3.org/1999/xlink\">\n\n" x 800, "</lineargradient></svg>"' > foo.svg
 $ echo '<img src="foo.svg">' > test.html
 $ firefox test.html

That one works on my slowish computer (crashes within a few reloads), and lifting the "x 800" might help on faster machines.

Might be that just about any malformed SVG that takes the correct amount of time to parse would do it. The null crash, yellow box and partially shown error message would make sense for example if someone was trying to print the reason for the error while it was still being computed.

    
    

    
  


  
Reproduced with the original test.html and trigger.svg:
Mozilla/5.0 (X11; Linux i686; rv:6.0a1) Gecko/20110511 Firefox/6.0a1
bp-72442292-5d83-4deb-9966-ca01d2110511

I pressed reload/stop as an idiot in a semi-random pattern - and suddenly when I pressed stop the XML Parsing Error box was on the screen. I downloaded and installed GIMP, made the attached screenshoot, and when I pressed reload again Firefox crashed.

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → Trunk

    
  
Hardware: x86 → All

    
    

    
  
I haven't yet reproduced the crash, but when I use a local copy of the testcase, I do seem to hit the "XML Parsing Error" yellow rendering every single time, and that that in and of itself is unexpected/bad -- we're supposed to catch that and display the broken-image icon instead.  (I think both that and the crash have the same underlying problem.)

The code to handle that is VectorImage::OnStopRequest() (called when we've received all the data for the image file) -- that checks mSVGDocumentWrapper->ParsedSuccessfully(), which checks the image-document's root element.  If ParsedSuccessfully sees a non-<svg> root element in its document (e.g. the root node of the internal yellow XML error page), then it takes that as a sign that our SVG was malformed.

But when I hit the yellow rendering here, we end up getting a <svg> element at that point, which makes us behave as if everything is fine (and paint the "image").  I'm not sure why that's happening...
Component: Layout: Images → SVG
QA Contact: layout.images → general
Keywords: testcase
Whiteboard: [sg:dos]

    
    

    
  
I believe bug 657191 fixed this -- in a current nightly, I can't hit the "XML Parsing Error" rendering that I previously could in comment 15.

Can anyone else reproduce in an up-to-date Nightly (mozilla-central) build?

Mozilla/5.0 (X11; Linux i686; rv:6.0a1) Gecko/20110524 Firefox/6.0a1

    
    

    
  
(In reply to comment #16)
> I believe bug 657191 fixed this -- in a current nightly, I can't hit the
> "XML Parsing Error" rendering that I previously could in comment 15

(that is to say -- I now always get a "broken image" icon instead, which is correct)

    
    

    
  
I get the same crash with current nightly (6.0a1 2011-05-24) and the original testcase. Heading off to an offline vacation so I can't test with other versions for a week.

Crash report is at https://crash-stats.mozilla.com/report/index/bp-d385aa68-cadf-414d-bf9f-d4c962110525. Not sure why it shows 4.0.1 as version.

    
    

    
  
I still can't reproduce (now with a build from before bug 657191 landed), but I'm willing to believe that it's still broken.

However...
> I get the same crash with current nightly 
> Crash report is [...] Not sure why it shows 4.0.1 as version.

I take this to mean you *actually* crashed on 4.0.1... (Maybe you already had Firefox 4.0.1 open & forgot to specify -no-remote when starting your nightly build?)

Crash reports aren't generally wrong about the crashing version -- if they were, that'd be a very bad thing for our ability to track trends in crashes.

    
    

    
  
(In reply to comment #15)
> If ParsedSuccessfully sees a non-<svg> root element in its
> document (e.g. the root node of the internal yellow XML error page), then it
> takes that as a sign that our SVG was malformed.
> 
> But when I hit the yellow rendering here, we end up getting a <svg> element
> at that point, which makes us behave as if everything is fine (and paint the
> "image").  I'm not sure why that's happening...

So when I load the attached (malformed) SVG file directly, I see a "normal" rendering (with a black circle) for a little bit, and *then* we switch to the XML Parsing error page.

In theory we're supposed to be flushing all of the parsing (and hitting any parsing errors) before we check "ParsedSuccessfully".  But it seems like in this case, given that we're seeing an <svg> root element, ParsedSuccessfully must still be seeing the pre-converted-to-error-page document somehow.

I still don't know exactly why this is happening, but it makes sense that this would be related to the document size, as suggested in comment 10.

    
    

    
  
Ah, ok - so using a current debug build, I _can_ still reproduce the yellow-error-page-instead-of-broken-image rendering that I saw in comment 15. (probably because debug builds are slower). Still no crashes, though.

So, definitely not fixed by bug 657191.

    
    

    
  
d'oh, we're definitely getting a call to nsParser::ContinueInterruptedParsing() *after* the ParsedSuccessfully check.

(And there's a call to nsExpatDriver::HandleError inside of that ContinueInterruptedParsing call, which is what switches to the error page.)

I think I initially assumed that SVGDocumentWrapper's call to ContinueInterruptedParsing would finish off all remaining parsing, but I guess it only does one more "batch"...  We may need to wrap it in some sort of "while(moreParsingToDo) {}" loop.

Marking this as security-sensitive, since this could can definitely have crashy implications, some of which could be scary (not sure yet).
Group: core-security

    
    

    
  
(In reply to comment #15)
> I haven't yet reproduced the crash, but when I use a local copy of the
> testcase, I do seem to hit the "XML Parsing Error" yellow rendering

BTW, it makes sense that this would particularly affect local-file-loads, because it happens when we're loading data fast enough that the parser "falls behind" and is left needing multiple ContinueInterruptedParsing batches even after we've received all the data from the file request.

    
    

    
  
So bug 599497 comment 6 added:
>+    if (!parser->IsComplete()) {
>+      parser->ContinueInterruptedParsing();

I think we just want "while" instead of "if" there.
Depends on: 599497

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1Splinter Review
      

    


  
Assignee: nobody → dholbert
Status: NEW → ASSIGNED

        Attachment #535506 -
        Flags: review?(jst)

    
    

    
  
This code hasn't changed since Firefox 4, so this bug affects us back that far.  I think we need this on all active release trains (for Firefox 5 and 6).

          tracking-firefox5:
          --- → ?

          tracking-firefox6:
          --- → ?
OS: Linux → All

    
    

    
  
Not tracking a dos for 5.

          tracking-firefox5:
          ?-

    
    

    
  
Comment on attachment 535506 [details] [diff] [review]
fix v1

Switching review request to Henri. I'm not sure continuing interrupted parsing in a synchronous loop is something that the parser expects and will always be ok with. But I'm guessing Henri will know.

        Attachment #535506 -
        Flags: review?(jst) → review?(hsivonen)

    
    

    
  
Comment on attachment 535506 [details] [diff] [review]
fix v1

ContinueInterruptedParsing() is meant to be called from the event loop, so neither the code before the patch nor the code after the patch is OK. Instead of calling into the parser like this, I think the right way to proceed would be to let the parser finish at its own pace asynchronously and then to hook whatever code the SVG-in-img code needs to run last to code that runs around nsXMLContentSink::DidBuildModel().

I see the comment right above your code change though. If the assumptions of imgRequest::OnStopRequest are too hard to change, you might just get away with calling ContinueInterruptedParsing() in a loop assuming that SVG-in-img is guaranteed never to run scripts. However, I'm not sure that you can get away with in that case. Are the assumptions of imgRequest::OnStopRequest too hard to change?

    
    

    
  
(In reply to comment #29)
> I see the comment right above your code change though.

Just for clarity, that comment is:
>298     // A few levels up the stack, imgRequest::OnStopRequest is about to tell
>299     // all of its observers that we know our size and are ready to paint.  That
>300     // might not be true at this point, though -- so here, we synchronously
>301     // finish parsing & layout in our helper-document to make sure we can hold
>302     // up to this promise.


> If the assumptions of
> imgRequest::OnStopRequest are too hard to change, you might just get away
> with calling ContinueInterruptedParsing() in a loop assuming that SVG-in-img
> is guaranteed never to run scripts.

That's my thinking as well.  And we do indeed have that guarantee.

> Are the assumptions of imgRequest::OnStopRequest too
> hard to change?

IIRC from discussion with Joe and/or Bobby, that would require some nontrivial refactoring of imagelib code, to separate out the "received all the data" and "have image size available" conditions.  I think I remember bholley saying that this refactoring is wanted eventually, but it's non-trivial.

Henri: would you agree that the addition of the loop here is at least an improvement over what we have now? :)
Crash Signature: [@ mozilla::imagelib::SVGDocumentWrapper::GetWidthOrHeight ]

    
    

    
  
Not version-specific so not tracking for Firefox 6.

          tracking-firefox6:
          ?-

    
    

    
  
Comment on attachment 535506 [details] [diff] [review]
fix v1

comment 29 looks like an r-, setting flag so no one is misled by the bug state

        Attachment #535506 -
        Flags: review?(hsivonen) → review-

    
    

    
  
If it's a DoS bug should we unhide it?

    
    

    
  
Comment on attachment 535506 [details] [diff] [review]
fix v1

(In reply to comment #30)
> Henri: would you agree that the addition of the loop here is at least an
> improvement over what we have now? :)

Yes. It's an improvement. Sorry about the delay, I thought I had already responded. Marking r+ in the "it's an improvement" sense. I can't promise that the solution still wouldn't be broken in some way that I just fail to see right now.

        Attachment #535506 -
        Flags: review- → review+

    
    

    
  
http://hg.mozilla.org/integration/mozilla-inbound/rev/bdd4d79f9836
Whiteboard: [sg:dos] → [sg:dos][inbound]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/bdd4d79f9836
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dos][inbound] → [sg:dos]
Target Milestone: --- → mozilla7
Group: core-security

          status-firefox7:
          --- → fixed

    
    

    
  
I was able to view the image for about one-two seconds in the tab and after that the error appeared: "XML Parsing Error: mismatched tag. Expected: </animateColor>.
Location: https://bug656244.bugzilla.mozilla.org/attachment.cgi?id=531579
Line Number 3063, Column 3:"

I've tried this on Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0 beta 1.
So the issue is still reproducing for me. I don't get a Firefox crash but that error page.

    
    

    
  
(In reply to Vlad from comment #39)
> I was able to view the image for about one-two seconds in the tab and after
> that the error appeared: "XML Parsing Error: mismatched tag. Expected:
> </animateColor>.
> Location: https://bug656244.bugzilla.mozilla.org/attachment.cgi?id=531579
> Line Number 3063, Column 3:"

That's the expected result. The previous behaviour was a crash which was fixed.

    
  

        Attachment #531580 -
        Attachment mime type: text/plain → text/html

    
  

        Attachment #531580 -
        Attachment description: testcase → testcase (needs to be downloaded locally, along w/ SVG file, to work)

    
    

    
  
Considering comment39 and comment40, setting resolution to Verified Fixed on  Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Status: RESOLVED → VERIFIED

    
  
Depends on: 694165

    
    

    
  
(In reply to Daniel Holbert [:dholbert] from comment #30)
> > Are the assumptions of imgRequest::OnStopRequest too
> > hard to change?
> 
> IIRC from discussion with Joe and/or Bobby, that would require some
> nontrivial refactoring of imagelib code, to separate out the "received all
> the data" and "have image size available" conditions.

I just filed bug 704059 on doing this refactoring, BTW, to be sure it's being tracked somewhere. (Not sure if there was already a bug filed on that; if so, mine can be duped to the original.)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: