| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0002873 | NetSurf | [All Projects] General | public | 2024-05-26 21:48 | 2024-05-27 09:38 | ||||
| Reporter | Felix Albrigtsen | ||||||||
| Assigned To | kinnison | ||||||||
| Severity | crash | Reproducibility | always | ||||||
| Status | resolved | Resolution | fixed | ||||||
| Platform | Framebuffer | OS | Linux | OS Version | Debian 12 | ||||
| Product Version | 3.11 | ||||||||
| Target Version | Fixed in Version | 3.12 | |||||||
| Summary | 0002873: Double free in box_normalise_table | ||||||||
| Description | Double free() caused by integer overflow when parsing a table in netsurf/content/handlers/html/box_normalise.c. In box_normalise_table, col_info.spans is freed. If col_info.spans is already freed by box_normalise_table_row_group, this can cause a double free. This can happen once `box_normalise_table_row_group` has called `box_normalise_table_row` which then calls `calculate_table_row`. If cell_end_col is equal to 0xffffffff inside of calculate_table_row, the if-check on line 113 in netsurf/blob/master/content/handlers/html/box_normalise.c will evaluate to true, but passing `(cell_end_col + 1)` as the size argument to realloc, causing it to overflow to 0. Calling realloc with size 0 is equivalent to a free, resulting in a double free triggered by the HTML file below. The "magic constant" 4294967295 is (2^32)-1, filling an entire 32 bit integer. | ||||||||
| Steps To Reproduce | 1. Install / Build netsurf. Tested with framebuffer and gtk3 on Linux, for example the default netsurf packages on debian. 2. Create the file "test.html" containing an otherwise valid HTML file with `<table><th colspan="4294967295">` in its body. 3. Run `$ netsurf-fb -f ram file://$(pwd)/test.html` === Example HTML file: <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <table><th colspan="4294967295"> </body> </html> | ||||||||
| Additional Information | Tested on 64-bit Debian and NixOS, on NetSurf 3.10 and 3.11. Consequences on linux with glibc: Double free is caught by libc, killing the process with SIGABRT. I have not tested the actual consequences on any other system. | ||||||||
| Tags | No tags attached. | ||||||||
| Fixed in CI build # | 6734 | ||||||||
| Reported in CI build # | |||||||||
| URL of problem page | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
Vincent Sanders (administrator) 2024-05-27 09:22 |
we are failing to clamp these to the spec limits https://html.spec.whatwg.org/multipage/tables.html#attr-tdth-rowspan |
kinnison (administrator) 2024-05-27 09:37 |
I have confirmed that this blows up for me, and am working on a fix. |
|
kinnison (administrator) 2024-05-27 09:38 |
We're now clamping rowspan and colspan according to HTML spec 4.9.11 |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-05-26 21:48 | Felix Albrigtsen | New Issue | |
| 2024-05-27 09:22 | Vincent Sanders | Note Added: 0002451 | |
| 2024-05-27 09:23 | kinnison | Assigned To | => kinnison |
| 2024-05-27 09:23 | kinnison | Status | new => assigned |
| 2024-05-27 09:37 | kinnison | Status | assigned => confirmed |
| 2024-05-27 09:37 | kinnison | Note Added: 0002452 | |
| 2024-05-27 09:38 | kinnison | Status | confirmed => resolved |
| 2024-05-27 09:38 | kinnison | Resolution | open => fixed |
| 2024-05-27 09:38 | kinnison | Fixed in Version | => 3.12 |
| 2024-05-27 09:38 | kinnison | Fixed in CI build # | => 6734 |
| 2024-05-27 09:38 | kinnison | Note Added: 0002453 | |
| Issue History |