Re: remote DoS in Mozilla 1.0

From: Jakub Bogusz (qbooshat_private)
Date: Tue Jun 11 2002 - 10:59:54 PDT

Next message: John C. Welch: "Re: remote DoS in Mozilla 1.0"

Previous message: Shane Gibson: "Re: Three possible DoS attacks against some IOS versions."
In reply to: Stijn Jonker: "Re: remote DoS in Mozilla 1.0"
Next in thread: 0xFF: "Re: Re: remote DoS in Mozilla 1.0"
Maybe reply: 0xFF: "Re: Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote:
[...]
> What happens is that XFS consumes huge amounts of ram, and finally bails 
> out. So end of story for the fonts in X. As a result X is practicly 
> useless.
> 
> I can only guess what happens when you don't use XFS but Xserver based 
> fontrendering, the X server consumes huge amounts of mem and cpu and bails 
> out => server crash => Bye Bye X.
> 
> The solution(s):
> 	(a) Fix every app to disallow font sizes bigger then <maxvalue>
> 	(b) Fix XFS to return an error code to the calling application 
> when requested font size is greater then configured <maxvalue>

I think it's not XFS, but libXfont.

Here's the end of strace before xfs dies:

| open("/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb", O_RDONLY) = 7
| read(7, "\200\1\352\26\0\0%!PS-AdobeFont-1.0: Arial-"..., 512) = 512
[...]
| read(7, "\375KlWqU\200\321\20\2274;\214k\207\222\357\7[Q0\235\213"..., 512) = 512
| close(7)                                = 0
| old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000
| old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000
| old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000
| old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000
| old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000
| write(2, "xfs error: ", 11)             = -1 EBADF (Bad file descriptor)
| write(2, "Beziers this big not yet support"..., 34) = -1 EBADF (Bad file descriptor)
| rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
| getpid()                                = 21200
| kill(21200, SIGABRT)                    = 0
| --- SIGABRT (Aborted) ---

In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line 219 there is:

| struct segment *
| StepBezier(struct region *R, /* Region under construction or NULL            */
[...]
|        if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC)
|             || TOOBIG(xD) || TOOBIG(yD) )
|                abort("Beziers this big not yet supported");

It isn't very good idea to abort() on wrong parameters in shared library
function...


-- 
Jakub Bogusz    http://prioris.mini.pw.edu.pl/~qboosh/
PLD Linux       http://www.pld.org.pl/

Next message: John C. Welch: "Re: remote DoS in Mozilla 1.0"
Previous message: Shane Gibson: "Re: Three possible DoS attacks against some IOS versions."
In reply to: Stijn Jonker: "Re: remote DoS in Mozilla 1.0"
Next in thread: 0xFF: "Re: Re: remote DoS in Mozilla 1.0"
Maybe reply: 0xFF: "Re: Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 11:50:18 PDT