Bugtraq mailing list archives
Re: remote DoS in Mozilla 1.0
From: Jakub Bogusz <qboosh () pld org pl>
Date: Tue, 11 Jun 2002 19:59:54 +0200
On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote: [...]
What happens is that XFS consumes huge amounts of ram, and finally bails out. So end of story for the fonts in X. As a result X is practicly useless. I can only guess what happens when you don't use XFS but Xserver based fontrendering, the X server consumes huge amounts of mem and cpu and bails out => server crash => Bye Bye X. The solution(s): (a) Fix every app to disallow font sizes bigger then <maxvalue> (b) Fix XFS to return an error code to the calling application when requested font size is greater then configured <maxvalue>
I think it's not XFS, but libXfont. Here's the end of strace before xfs dies: | open("/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb", O_RDONLY) = 7 | read(7, "\200\1\352\26\0\0%!PS-AdobeFont-1.0: Arial-"..., 512) = 512 [...] | read(7, "\375KlWqU\200\321\20\2274;\214k\207\222\357\7[Q0\235\213"..., 512) = 512 | close(7) = 0 | old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000 | old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000 | old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000 | old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000 | old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000 | write(2, "xfs error: ", 11) = -1 EBADF (Bad file descriptor) | write(2, "Beziers this big not yet support"..., 34) = -1 EBADF (Bad file descriptor) | rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 | getpid() = 21200 | kill(21200, SIGABRT) = 0 | --- SIGABRT (Aborted) --- In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line 219 there is: | struct segment * | StepBezier(struct region *R, /* Region under construction or NULL */ [...] | if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC) | || TOOBIG(xD) || TOOBIG(yD) ) | abort("Beziers this big not yet supported"); It isn't very good idea to abort() on wrong parameters in shared library function... -- Jakub Bogusz http://prioris.mini.pw.edu.pl/~qboosh/ PLD Linux http://www.pld.org.pl/
Current thread:
- remote DoS in Mozilla 1.0 Tom (Jun 10)
- Re: remote DoS in Mozilla 1.0 Stijn Jonker (Jun 11)
- Re: remote DoS in Mozilla 1.0 Mikael Olsson (Jun 11)
- Re: remote DoS in Mozilla 1.0 Tom (Jun 11)
- Re: remote DoS in Mozilla 1.0 Andreas Beck (Jun 11)
- Re: remote DoS in Mozilla 1.0 John C. Welch (Jun 11)
- Re: remote DoS in Mozilla 1.0 Jakub Bogusz (Jun 11)
- Re: remote DoS in Mozilla 1.0 Stijn Jonker (Jun 11)
- Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Federico Sevilla III (Jun 13)
- Re: Very large font size crashing X Font Server and Grounding Server to Alan Cox (Jun 13)
- rlimits and non overcommit (was: Very large font size ...) Federico Sevilla III (Jun 13)
- Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) rjh (Jun 13)
- Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Rob Mayoff (Jun 13)
- Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Matthew Wakeling (Jun 13)
- Re: Very large font size crashing X Font Server and Grounding Server to Alan Cox (Jun 13)
- RE: remote DoS in Mozilla 1.0 Keith Warno (Jun 13)
- Re: remote DoS in Mozilla 1.0 Tom (Jun 13)
- <Possible follow-ups>
- RE: remote DoS in Mozilla 1.0 Jon Keating (Jun 11)
- Re: Re: remote DoS in Mozilla 1.0 0xFF (Jun 11)