View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0002873 | NetSurf | [All Projects] General | public | 2024-05-26 20:48 | 2024-05-27 08:38 | ||||
Reporter | Felix Albrigtsen | ||||||||
Assigned To | kinnison | ||||||||
Severity | crash | Reproducibility | always | ||||||
Status | resolved | Resolution | fixed | ||||||
Platform | Framebuffer | OS | Linux | OS Version | Debian 12 | ||||
Product Version | 3.11 | ||||||||
Target Version | Fixed in Version | 3.12 | |||||||
Summary | 0002873: Double free in box_normalise_table | ||||||||
Description | Double free() caused by integer overflow when parsing a table in netsurf/content/handlers/html/box_normalise.c. In box_normalise_table, col_info.spans is freed. If col_info.spans is already freed by box_normalise_table_row_group, this can cause a double free. This can happen once `box_normalise_table_row_group` has called `box_normalise_table_row` which then calls `calculate_table_row`. If cell_end_col is equal to 0xffffffff inside of calculate_table_row, the if-check on line 113 in netsurf/blob/master/content/handlers/html/box_normalise.c will evaluate to true, but passing `(cell_end_col + 1)` as the size argument to realloc, causing it to overflow to 0. Calling realloc with size 0 is equivalent to a free, resulting in a double free triggered by the HTML file below. The "magic constant" 4294967295 is (2^32)-1, filling an entire 32 bit integer. | ||||||||
Steps To Reproduce | 1. Install / Build netsurf. Tested with framebuffer and gtk3 on Linux, for example the default netsurf packages on debian. 2. Create the file "test.html" containing an otherwise valid HTML file with `<table><th colspan="4294967295">` in its body. 3. Run `$ netsurf-fb -f ram file://$(pwd)/test.html` === Example HTML file: <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <table><th colspan="4294967295"> </body> </html> | ||||||||
Additional Information | Tested on 64-bit Debian and NixOS, on NetSurf 3.10 and 3.11. Consequences on linux with glibc: Double free is caught by libc, killing the process with SIGABRT. I have not tested the actual consequences on any other system. | ||||||||
Tags | No tags attached. | ||||||||
Fixed in CI build # | 6734 | ||||||||
Reported in CI build # | |||||||||
URL of problem page | |||||||||
Attached Files |
|
Notes | |
Vincent Sanders (administrator) 2024-05-27 08:22 |
we are failing to clamp these to the spec limits https://html.spec.whatwg.org/multipage/tables.html#attr-tdth-rowspan |
kinnison (administrator) 2024-05-27 08:37 |
I have confirmed that this blows up for me, and am working on a fix. |
kinnison (administrator) 2024-05-27 08:38 |
We're now clamping rowspan and colspan according to HTML spec 4.9.11 |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-05-26 20:48 | Felix Albrigtsen | New Issue | |
2024-05-27 08:22 | Vincent Sanders | Note Added: 0002451 | |
2024-05-27 08:23 | kinnison | Assigned To | => kinnison |
2024-05-27 08:23 | kinnison | Status | new => assigned |
2024-05-27 08:37 | kinnison | Status | assigned => confirmed |
2024-05-27 08:37 | kinnison | Note Added: 0002452 | |
2024-05-27 08:38 | kinnison | Status | confirmed => resolved |
2024-05-27 08:38 | kinnison | Resolution | open => fixed |
2024-05-27 08:38 | kinnison | Fixed in Version | => 3.12 |
2024-05-27 08:38 | kinnison | Fixed in CI build # | => 6734 |
2024-05-27 08:38 | kinnison | Note Added: 0002453 |