[Webkit-unassigned] [Bug 39675] New: SVG recursion stack exhaustion crashes.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 25 08:22:37 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=39675

           Summary: SVG recursion stack exhaustion crashes.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Having an SVG image load itself through an svg "image" tag or an html "img" tag using foreignObject causes infinite recursion, which crashes the browser. I'm creating one bug for both because they are essentially caused by the same problem. Feel free to split them if you think that works better.

-- html "img" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
  <foreignObject>
    <body xmlns="http://www.w3.org/1999/xhtml">
      <img src="[url to this .svg file]" />
    </body>
  </foreignObject>
</svg>

Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44995
Repro: http://skypher.com/SkyLined/Repro/Chrome/44995%20-%20WebCore..FrameView..paintContents%20RecursionSOV%20(1b0fa0eb19ffe8d1d29dd7a361a99ee0)/repro.svg

-- svg "image" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
  <image x="0" y="0" width="1063" height="638" xlink:href="[url to this .svg file]" />
</svg>

Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44998
Repro: http://skypher.com/SkyLined/Repro/Chrome/44998%20-%20WebCore..CachedImage..changedInRect%20RecursionSOV%20(512de755335cb1ab73932c04c63216ba)/repro.svg

Marking as security: Because many chat/forum websites allow users to insert images with arbitrary URLs, these crashes can be used as a DoS against these websites.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list