Bug#493363: #493363 Some SVG images make kio_thumbnail / Konqueror take 95% CPU and more than 1GB of memory

2008-08-07 Thread Ana Guerrero 
Hi Steve,

On Sun, Aug 03, 2008 at 06:47:44PM +0100, Steve Cotton wrote:
> severity 493363 grave
> tags 493363 + patch
> quit
> 
> Severity justification: This bug allocates memory in an infinite
> loop, which leads to the system near-freezing while thrashing,
> until the Xserver crashes.
> >From opening the attached minimal test case image in Konqueror,
> it's less than ten seconds before the system starts thrashing.
> 
> 
> In SVGAnimatedPointsImpl::parsePoints there's a for loop over an
> iterator.  Each time through the loop takes two elements from the
> iterator, but only tests the exit condition once.
> 
> A malformed SVG polygon with an odd number of coordinates will
> trigger the bug.  A minimal test case is attached, as is a patch
> which will silently ignore such malformed polygons (while still
> rendering the rest of the SVG).
>

Nice. could you forward this patch to the KDE SVN, so they can merge it into
KDE 3.5.10?
I would do but it is your patch :D

Ana






-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#493363: #493363 Some SVG images make kio_thumbnail / Konqueror take 95% CPU and more than 1GB of memory

2008-08-03 Thread Steve Cotton 
severity 493363 grave
tags 493363 + patch
quit

Severity justification: This bug allocates memory in an infinite
loop, which leads to the system near-freezing while thrashing,
until the Xserver crashes.
>From opening the attached minimal test case image in Konqueror,
it's less than ten seconds before the system starts thrashing.


In SVGAnimatedPointsImpl::parsePoints there's a for loop over an
iterator.  Each time through the loop takes two elements from the
iterator, but only tests the exit condition once.

A malformed SVG polygon with an odd number of coordinates will
trigger the bug.  A minimal test case is attached, as is a patch
which will silently ignore such malformed polygons (while still
rendering the rest of the SVG).

Steve
<>Sun Aug  3 18:26:12 BST 2008  Steve Cotton <[EMAIL PROTECTED]>
  * 493363 Check that there are an even number of elements in KSVG::SVGAnimatedPointsImpl::parsePoints
diff -rN -u old-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc new-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc
--- old-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc	2008-08-03 18:30:36.0 +0100
+++ new-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc	2008-08-03 18:30:37.0 +0100
@@ -79,6 +79,12 @@
 	_points = _points.simplifyWhiteSpace();
 
 	QStringList pointList = QStringList::split(' ', _points);
+
+	/* The list is of (x,y) pairs, so it must have an even
+	 * number of elements. */
+	if (pointList.count() % 2)
+		return;
+
 	for(QStringList::Iterator it = pointList.begin(); it != pointList.end(); it++)
 	{
 		SVGPointImpl *point = SVGSVGElementImpl::createSVGPoint();