MantisBT - NetSurf
View Issue Details
0002873NetSurf[All Projects] Generalpublic2024-05-26 21:482024-05-27 09:38
ReporterFelix Albrigtsen 
Assigned Tokinnison 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
PlatformFramebufferOSLinuxOS VersionDebian 12
Product Version3.11 
Target VersionFixed in Version3.12 
Fixed in CI build #6734
Reported in CI build #
URL of problem page
Summary0002873: Double free in box_normalise_table
DescriptionDouble free() caused by integer overflow when parsing a table in netsurf/content/handlers/html/box_normalise.c.

In box_normalise_table, col_info.spans is freed. If col_info.spans is already freed by box_normalise_table_row_group, this can cause a double free.
This can happen once `box_normalise_table_row_group` has called `box_normalise_table_row` which then calls `calculate_table_row`.
If cell_end_col is equal to 0xffffffff inside of calculate_table_row, the if-check on line 113 in netsurf/blob/master/content/handlers/html/box_normalise.c will evaluate to true, but passing `(cell_end_col + 1)` as the size argument to realloc, causing it to overflow to 0.
Calling realloc with size 0 is equivalent to a free, resulting in a double free triggered by the HTML file below.

The "magic constant" 4294967295 is (2^32)-1, filling an entire 32 bit integer.
Steps To Reproduce1. Install / Build netsurf. Tested with framebuffer and gtk3 on Linux, for example the default netsurf packages on debian.

2. Create the file "test.html" containing an otherwise valid HTML file with `<table><th colspan="4294967295">` in its body.

3. Run `$ netsurf-fb -f ram file://$(pwd)/test.html`

===

Example HTML file:

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <table><th colspan="4294967295">
</body>
</html>
Additional InformationTested on 64-bit Debian and NixOS, on NetSurf 3.10 and 3.11.

Consequences on linux with glibc: Double free is caught by libc, killing the process with SIGABRT.

I have not tested the actual consequences on any other system.
TagsNo tags attached.
Attached Files

Notes
(0002451)
Vincent Sanders   
2024-05-27 09:22   
we are failing to clamp these to the spec limits
https://html.spec.whatwg.org/multipage/tables.html#attr-tdth-rowspan
(0002452)
kinnison   
2024-05-27 09:37   
I have confirmed that this blows up for me, and am working on a fix.
(0002453)
kinnison   
2024-05-27 09:38   
We're now clamping rowspan and colspan according to HTML spec 4.9.11

Issue History
2024-05-26 21:48Felix AlbrigtsenNew Issue
2024-05-27 09:22Vincent SandersNote Added: 0002451
2024-05-27 09:23kinnisonAssigned To => kinnison
2024-05-27 09:23kinnisonStatusnew => assigned
2024-05-27 09:37kinnisonStatusassigned => confirmed
2024-05-27 09:37kinnisonNote Added: 0002452
2024-05-27 09:38kinnisonStatusconfirmed => resolved
2024-05-27 09:38kinnisonResolutionopen => fixed
2024-05-27 09:38kinnisonFixed in Version => 3.12
2024-05-27 09:38kinnisonFixed in CI build # => 6734
2024-05-27 09:38kinnisonNote Added: 0002453