39675 2010-05-25 08:22:36 -0700 SVG recursion stack exhaustion crashes. 2016-10-12 05:58:19 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) PC Windows Vista RESOLVED INVALID P1 Normal --- 1 skylined webkit-unassigned christopher.reiss eric krit oldest_to_newest 230282 0 skylined 2010-05-25 08:22:36 -0700 Having an SVG image load itself through an svg "image" tag or an html "img" tag using foreignObject causes infinite recursion, which crashes the browser. I'm creating one bug for both because they are essentially caused by the same problem. Feel free to split them if you think that works better. -- html "img" tag -- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638"> <foreignObject> <body xmlns="http://www.w3.org/1999/xhtml"> <img src="[url to this .svg file]" /> </body> </foreignObject> </svg> Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44995 Repro: http://skypher.com/SkyLined/Repro/Chrome/44995%20-%20WebCore..FrameView..paintContents%20RecursionSOV%20(1b0fa0eb19ffe8d1d29dd7a361a99ee0)/repro.svg -- svg "image" tag -- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638"> <image x="0" y="0" width="1063" height="638" xlink:href="[url to this .svg file]" /> </svg> Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44998 Repro: http://skypher.com/SkyLined/Repro/Chrome/44998%20-%20WebCore..CachedImage..changedInRect%20RecursionSOV%20(512de755335cb1ab73932c04c63216ba)/repro.svg Marking as security: Because many chat/forum websites allow users to insert images with arbitrary URLs, these crashes can be used as a DoS against these websites. 312295 1 skylined 2010-11-22 04:44:30 -0800 Another way to trigger stack exhaustion through recursion: <script> s = new Array(10000).join('<marker>'); document.writeln('<svg>' + s); </script> 315637 2 skylined 2010-12-01 07:38:00 -0800 This is not a security issue 332406 3 ap 2011-01-11 09:44:41 -0800 > Another way to trigger stack exhaustion through recursion: That sounds like bug 15123. 1239258 4 291351 krit 2016-10-12 05:57:35 -0700 Created attachment 291351 Recursion test Test for recursion 1239259 5 krit 2016-10-12 05:58:19 -0700 The recursion is not a problem. 291351 2016-10-12 05:57:35 -0700 2016-10-12 05:57:35 -0700 Recursion test svg-recursion.zip application/zip 768 krit UEsDBAoAAAAAAI0uTEkAAAAAAAAAAAAAAAAOABAAc3ZnLXJlY3Vyc2lvbi9VWAwA0jH+Vwky/lf1 ARQAUEsDBBQACAAIAJkuTEkAAAAAAAAAAAAAAAAXABAAc3ZnLXJlY3Vyc2lvbi9pbWFnZS5zdmdV WAwANjL+VyEy/lf1ARQAdY9dS8MwFIbv/RXHA14uJ7EwttFuYDuHIG5gp3i5tTWJ9mOkYZ3/3qQV JjIv8+Z5P064OFUlHAvT6qaOUDCOUNRZk+taRrhN70cTXMyvwutkHadvmyW0Rwmb7d3jQww4InoN YqIkTeD5ZQWCCaLlEwIqaw8zoq7rWBewxkhamd1B6awlB5IHnYlcmBAstzm6Cp/sxtRtdMF+yzn3 OP7eKnAwzE6lrj8v2cR0OqX+F6HTuVXOxscBgiq0VDbCcTBx3QChKTJ7RvjNGelf1EPvjXFivd5/ ONorTts3+df/u4cBylYlDrxz6EpCa7IIdbWTBfNX0U8Y+bS+iv50hf76+TdQSwcIqCuR5wEBAACv AQAAUEsDBBQACAAIAI0uTEkAAAAAAAAAAAAAAAAYABAAc3ZnLXJlY3Vyc2lvbi9pbmRleC5odG1s VVgMAEky/lcJMv5X9QEUALPJzE1XKC5KtlXKzE1MT9UrLktXsgMAUEsHCAnpHrQXAAAAFQAAAFBL AQIVAwoAAAAAAI0uTEkAAAAAAAAAAAAAAAAOAAwAAAAAAAAAAEDtQQAAAABzdmctcmVjdXJzaW9u L1VYCADSMf5XCTL+V1BLAQIVAxQACAAIAJkuTEmoK5HnAQEAAK8BAAAXAAwAAAAAAAAAAECkgTwA AABzdmctcmVjdXJzaW9uL2ltYWdlLnN2Z1VYCAA2Mv5XITL+V1BLAQIVAxQACAAIAI0uTEkJ6R60 FwAAABUAAAAYAAwAAAAAAAAAAECkgZIBAABzdmctcmVjdXJzaW9uL2luZGV4Lmh0bWxVWAgASTL+ Vwky/ldQSwUGAAAAAAMAAwDrAAAA/wEAAAAA