Bug 33759

Summary:

[Qt][iexploder] DoS in Gtk/Qt port on painting text from test=81

Product:

WebKit

Reporter:

Holger Freyther <zecke>

Component:

Platform

Assignee:

Holger Freyther <zecke>

Status:

RESOLVED INVALID

Severity:

Normal

CC:

kent.hansen, mrobinson

Priority:

Keywords:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
iexploder test=81.	none
Add a test and workaround for the DoS found in WebKit/GTK+	none

Holger Freyther

Reported 2010-01-16 07:12:39 PST

Created attachment 46739 [details] iexploder test=81. In my case the test 81 is generating HTML that both Qt and Cairo do not manage to render. The painting is blocked for several minutes before I cancel it. A backtrace from Qt looks like this: #0 0xb63fdbc1 in IntersectBB (a=..., b=...) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:616 #1 0xb6400959 in RecursivelyIntersect (a=<value optimized out>, t0=0.12261581420898438, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:739 #2 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12261199951171875, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #3 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1226043701171875, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #4 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.122589111328125, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #5 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #6 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.1226806640625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #7 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.122802734375, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #8 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #9 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1220703125, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #10 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12109375, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #11 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12109375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #12 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1171875, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #13 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.109375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #14 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.09375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #15 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.0625, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #16 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748 #17 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.25, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #18 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.5, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #19 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=1, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741 #20 0xb6400ca6 in QBezier::findIntersections (a=..., b=..., t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:859 #21 0xb646f3c1 in QIntersectionFinder::intersectBeziers (this=0xbfffa26f, one=..., two=..., t=..., intersections=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:210 #22 0xb646fa80 in QIntersectionFinder::produceIntersections (this=0xbfffa26f, segments=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:482 #23 0xb64712cc in QWingedEdge::intersectAndAdd (this=0xbfffa2f0) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:710 #24 0xb6471abc in QWingedEdge (this=0xbfffa2f0, subject=..., clip=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:796 #25 0xb6471e26 in QPathClipper::clip (this=0xbfffa3fc, operation=QPathClipper::BoolAnd) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:1776 #26 0xb6461e44 in QPainterPath::intersected (this=0xbfffa4ec, p=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainterpath.cpp:3189 #27 0xb650a6fe in QX11PaintEnginePrivate::fillPath (this=0x8199148, path=..., gc_mode=QX11PaintEnginePrivate::PenGC, transform=true) at /home/ich/source/nokia/qt/src/gui/painting/qpaintengine_x11.cpp:1738 #28 0xb650b5d3 in QX11PaintEngine::drawPath (this=0x80fcae8, path=...) at /home/ich/source/nokia/qt/src/gui/painting/qpaintengine_x11.cpp:1805 #29 0xb6459d6f in QPainter::drawPath (this=0xbfffd2ac, path=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainter.cpp:3352 #30 0xb645c241 in QPainter::strokePath (this=0xbfffd2ac, path=..., pen=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainter.cpp:3264 #31 0xb79004a3 in WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const () from /home/ich/source/apple/WebKit-tt.git/WebKitBuild/Release/lib/libQtWebKit.so.4

Attachments
iexploder test=81. (68.50 KB, application/octet-stream) 2010-01-16 07:12 PST, Holger Freyther	no flags	Details
Add a test and workaround for the DoS found in WebKit/GTK+ (5.39 KB, patch) 2010-03-08 00:03 PST, Holger Freyther	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Holger Freyther

Comment 1 2010-03-08 00:03:39 PST

Created attachment 50192 [details] Add a test and workaround for the DoS found in WebKit/GTK+ Add a simple test case for the issue and propose a workaround/cut-off for the cairo port.

Darin Adler

Comment 2 2010-03-08 08:08:51 PST

Comment on attachment 50192 [details] Add a test and workaround for the DoS found in WebKit/GTK+ > + // Prevent running into a denial of service here. If the stroke width is > + // twice the size of the width of the text we will not ask cairo to stroke > + // the text. See https://bugs.webkit.org/show_bug.cgi?id=33759. I don't think this comment or change log entry should refer to "denial of service"; any crashing bug could be called that, and it's an irritatingly oblique term for a crash. You could improve the comment by instead explaining the logic behind the 2X text width limit (larger widths wouldn't look good anyway?) and stating more specifically why passing a bad value to Cairo is a problem (it crashes when the value is so large that something overflows?). r=me on the code change, though

Holger Freyther

Comment 3 2010-03-09 21:41:55 PST

A note on Qt. We are currently figuring out where we want to fix that.

Holger Freyther

Comment 4 2010-03-10 02:48:08 PST

Comment on attachment 50192 [details] Add a test and workaround for the DoS found in WebKit/GTK+ Landed in r55773. The Qt part needs to be resolved as well.

Martin Robinson

Comment 5 2010-09-11 07:33:29 PDT

Sorry! Did not realize this was still an issue on Qt.

Jocelyn Turcotte

Comment 6 2014-02-03 03:10:14 PST

=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.

Note You need to log in before you can comment on or make changes to this bug.