33759 – [Qt][iexploder] DoS in Gtk/Qt port on painting text from test=81

Bug 33759 - [Qt][iexploder] DoS in Gtk/Qt port on painting text from test=81

Summary: [Qt][iexploder] DoS in Gtk/Qt port on painting text from test=81

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Holger Freyther

URL:
Keywords:	Qt

Depends on:
Blocks:

Reported:	2010-01-16 07:12 PST by Holger Freyther
Modified:	2014-02-03 03:10 PST (History)
CC List:	2 users (show)

See Also:

Attachments
iexploder test=81. (68.50 KB, application/octet-stream) 2010-01-16 07:12 PST, Holger Freyther	no flags	Details
Add a test and workaround for the DoS found in WebKit/GTK+ (5.39 KB, patch) 2010-03-08 00:03 PST, Holger Freyther	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Holger Freyther 2010-01-16 07:12:39 PST

Created attachment 46739 [details]
iexploder test=81.

In my case the test 81 is generating HTML that both Qt and Cairo do not manage to render. The painting is blocked for several minutes before I cancel it.

A backtrace from Qt looks like this:
#0  0xb63fdbc1 in IntersectBB (a=..., b=...) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:616
#1  0xb6400959 in RecursivelyIntersect (a=<value optimized out>, t0=0.12261581420898438, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:739
#2  0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12261199951171875, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#3  0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1226043701171875, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#4  0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.122589111328125, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#5  0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.12261962890625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#6  0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.1226806640625, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#7  0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.122802734375, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#8  0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12255859375, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#9  0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1220703125, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#10 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.12109375, t1=0.123046875, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#11 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0.12109375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#12 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.1171875, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#13 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.109375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#14 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.09375, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#15 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0.0625, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#16 0xb6400a0c in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.125, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:748
#17 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.25, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#18 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=0.5, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#19 0xb64009a3 in RecursivelyIntersect (a=<value optimized out>, t0=0, t1=1, deptha=<value optimized out>, b=..., u0=0, u1=1, depthb=-6, t=0xbfffa1cc)
    at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:741
#20 0xb6400ca6 in QBezier::findIntersections (a=..., b=..., t=0xbfffa1cc) at /home/ich/source/nokia/qt/src/gui/painting/qbezier.cpp:859
#21 0xb646f3c1 in QIntersectionFinder::intersectBeziers (this=0xbfffa26f, one=..., two=..., t=..., intersections=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:210
#22 0xb646fa80 in QIntersectionFinder::produceIntersections (this=0xbfffa26f, segments=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:482
#23 0xb64712cc in QWingedEdge::intersectAndAdd (this=0xbfffa2f0) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:710
#24 0xb6471abc in QWingedEdge (this=0xbfffa2f0, subject=..., clip=...) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:796
#25 0xb6471e26 in QPathClipper::clip (this=0xbfffa3fc, operation=QPathClipper::BoolAnd) at /home/ich/source/nokia/qt/src/gui/painting/qpathclipper.cpp:1776
#26 0xb6461e44 in QPainterPath::intersected (this=0xbfffa4ec, p=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainterpath.cpp:3189
#27 0xb650a6fe in QX11PaintEnginePrivate::fillPath (this=0x8199148, path=..., gc_mode=QX11PaintEnginePrivate::PenGC, transform=true) at /home/ich/source/nokia/qt/src/gui/painting/qpaintengine_x11.cpp:1738
#28 0xb650b5d3 in QX11PaintEngine::drawPath (this=0x80fcae8, path=...) at /home/ich/source/nokia/qt/src/gui/painting/qpaintengine_x11.cpp:1805
#29 0xb6459d6f in QPainter::drawPath (this=0xbfffd2ac, path=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainter.cpp:3352
#30 0xb645c241 in QPainter::strokePath (this=0xbfffd2ac, path=..., pen=...) at /home/ich/source/nokia/qt/src/gui/painting/qpainter.cpp:3264
#31 0xb79004a3 in WebCore::Font::drawComplexText(WebCore::GraphicsContext*, WebCore::TextRun const&, WebCore::FloatPoint const&, int, int) const ()
   from /home/ich/source/apple/WebKit-tt.git/WebKitBuild/Release/lib/libQtWebKit.so.4

Comment 1 Holger Freyther 2010-03-08 00:03:39 PST

Created attachment 50192 [details]
Add a test and workaround for the DoS found in WebKit/GTK+

Add a simple test case for the issue and propose a workaround/cut-off for the cairo port.

Comment 2 Darin Adler 2010-03-08 08:08:51 PST

Comment on attachment 50192 [details]
Add a test and workaround for the DoS found in WebKit/GTK+

> +    // Prevent running into a denial of service here. If the stroke width is
> +    // twice the size of the width of the text we will not ask cairo to stroke
> +    // the text. See https://bugs.webkit.org/show_bug.cgi?id=33759.

I don't think this comment or change log entry should refer to "denial of service"; any crashing bug could be called that, and it's an irritatingly oblique term for a crash.

You could improve the comment by instead explaining the logic behind the 2X text width limit (larger widths wouldn't look good anyway?) and stating more specifically why passing a bad value to Cairo is a problem (it crashes when the value is so large that something overflows?).

r=me on the code change, though

Comment 3 Holger Freyther 2010-03-09 21:41:55 PST

A note on Qt. We are currently figuring out where we want to fix that.

Comment 4 Holger Freyther 2010-03-10 02:48:08 PST

Comment on attachment 50192 [details]
Add a test and workaround for the DoS found in WebKit/GTK+

Landed in r55773. The Qt part needs to be resolved as well.

Comment 5 Martin Robinson 2010-09-11 07:33:29 PDT

Sorry! Did not realize this was still an issue on Qt.

Comment 6 Jocelyn Turcotte 2014-02-03 03:10:14 PST

=== Bulk closing of Qt bugs ===

If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary.

If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.