Bugtraq mailing list archives

Re: remote DoS in Mozilla 1.0

From: Jakub Bogusz <qboosh () pld org pl>
Date: Tue, 11 Jun 2002 19:59:54 +0200

On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote:
[...]

What happens is that XFS consumes huge amounts of ram, and finally bails 
out. So end of story for the fonts in X. As a result X is practicly 
useless.

I can only guess what happens when you don't use XFS but Xserver based 
fontrendering, the X server consumes huge amounts of mem and cpu and bails 
out => server crash => Bye Bye X.

The solution(s):
      (a) Fix every app to disallow font sizes bigger then <maxvalue>
      (b) Fix XFS to return an error code to the calling application 
when requested font size is greater then configured <maxvalue>


I think it's not XFS, but libXfont.

Here's the end of strace before xfs dies:

| open("/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb", O_RDONLY) = 7
| read(7, "\200\1\352\26\0\0%!PS-AdobeFont-1.0: Arial-"..., 512) = 512
[...]
| read(7, "\375KlWqU\200\321\20\2274;\214k\207\222\357\7[Q0\235\213"..., 512) = 512
| close(7)                                = 0
| old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000
| old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000
| old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000
| old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000
| old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000
| write(2, "xfs error: ", 11)             = -1 EBADF (Bad file descriptor)
| write(2, "Beziers this big not yet support"..., 34) = -1 EBADF (Bad file descriptor)
| rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
| getpid()                                = 21200
| kill(21200, SIGABRT)                    = 0
| --- SIGABRT (Aborted) ---

In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line 219 there is:

| struct segment *
| StepBezier(struct region *R, /* Region under construction or NULL            */
[...]
|        if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC)
|             || TOOBIG(xD) || TOOBIG(yD) )
|                abort("Beziers this big not yet supported");

It isn't very good idea to abort() on wrong parameters in shared library
function...


-- 
Jakub Bogusz    http://prioris.mini.pw.edu.pl/~qboosh/
PLD Linux       http://www.pld.org.pl/

Current thread:

remote DoS in Mozilla 1.0 Tom (Jun 10)
- Re: remote DoS in Mozilla 1.0 Stijn Jonker (Jun 11)
  - Re: remote DoS in Mozilla 1.0 Mikael Olsson (Jun 11)
  - Re: remote DoS in Mozilla 1.0 Tom (Jun 11)
    - Re: remote DoS in Mozilla 1.0 Andreas Beck (Jun 11)
    - Re: remote DoS in Mozilla 1.0 John C. Welch (Jun 11)
  - Re: remote DoS in Mozilla 1.0 Jakub Bogusz (Jun 11)
- Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Federico Sevilla III (Jun 13)
  - Re: Very large font size crashing X Font Server and Grounding Server to Alan Cox (Jun 13)
    - rlimits and non overcommit (was: Very large font size ...) Federico Sevilla III (Jun 13)
  - Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) rjh (Jun 13)
  - Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Rob Mayoff (Jun 13)
  - Re: Very large font size crashing X Font Server and Grounding Server to a Halt (was: remote DoS in Mozilla 1.0) Matthew Wakeling (Jun 13)
- RE: remote DoS in Mozilla 1.0 Keith Warno (Jun 13)
  - Re: remote DoS in Mozilla 1.0 Tom (Jun 13)
- <Possible follow-ups>
- RE: remote DoS in Mozilla 1.0 Jon Keating (Jun 11)
- Re: Re: remote DoS in Mozilla 1.0 0xFF (Jun 11)

(Thread continues...)