[25730] in bugtraq
Re: remote DoS in Mozilla 1.0
daemon@ATHENA.MIT.EDU (Jakub Bogusz)
Tue Jun 11 15:10:51 2002
Date: Tue, 11 Jun 2002 19:59:54 +0200
From: Jakub Bogusz <qboosh@pld.org.pl>
To: bugtraq@securityfocus.com
Message-ID: <20020611175954.GA17563@satan.blackhosts>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0206111457420.20762-100000@ph-wks-01.sjc.nl>
On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote:
[...]
> What happens is that XFS consumes huge amounts of ram, and finally bails
> out. So end of story for the fonts in X. As a result X is practicly
> useless.
>
> I can only guess what happens when you don't use XFS but Xserver based
> fontrendering, the X server consumes huge amounts of mem and cpu and bails
> out => server crash => Bye Bye X.
>
> The solution(s):
> (a) Fix every app to disallow font sizes bigger then <maxvalue>
> (b) Fix XFS to return an error code to the calling application
> when requested font size is greater then configured <maxvalue>
I think it's not XFS, but libXfont.
Here's the end of strace before xfs dies:
| open("/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb", O_RDONLY) = 7
| read(7, "\200\1\352\26\0\0%!PS-AdobeFont-1.0: Arial-"..., 512) = 512
[...]
| read(7, "\375KlWqU\200\321\20\2274;\214k\207\222\357\7[Q0\235\213"..., 512) = 512
| close(7) = 0
| old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000
| old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000
| old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000
| old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000
| old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000
| write(2, "xfs error: ", 11) = -1 EBADF (Bad file descriptor)
| write(2, "Beziers this big not yet support"..., 34) = -1 EBADF (Bad file descriptor)
| rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
| getpid() = 21200
| kill(21200, SIGABRT) = 0
| --- SIGABRT (Aborted) ---
In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line 219 there is:
| struct segment *
| StepBezier(struct region *R, /* Region under construction or NULL */
[...]
| if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC)
| || TOOBIG(xD) || TOOBIG(yD) )
| abort("Beziers this big not yet supported");
It isn't very good idea to abort() on wrong parameters in shared library
function...
--
Jakub Bogusz http://prioris.mini.pw.edu.pl/~qboosh/
PLD Linux http://www.pld.org.pl/
