2024-10-10 12:32 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002873NetSurf[All Projects] Generalpublic2024-05-27 09:38
ReporterFelix Albrigtsen 
Assigned Tokinnison 
SeveritycrashReproducibilityalways 
StatusresolvedResolutionfixed 
PlatformFramebufferOSLinuxOS VersionDebian 12
Product Version3.11 
Target VersionFixed in Version3.12 
Summary0002873: Double free in box_normalise_table
DescriptionDouble free() caused by integer overflow when parsing a table in netsurf/content/handlers/html/box_normalise.c.

In box_normalise_table, col_info.spans is freed. If col_info.spans is already freed by box_normalise_table_row_group, this can cause a double free.
This can happen once `box_normalise_table_row_group` has called `box_normalise_table_row` which then calls `calculate_table_row`.
If cell_end_col is equal to 0xffffffff inside of calculate_table_row, the if-check on line 113 in netsurf/blob/master/content/handlers/html/box_normalise.c will evaluate to true, but passing `(cell_end_col + 1)` as the size argument to realloc, causing it to overflow to 0.
Calling realloc with size 0 is equivalent to a free, resulting in a double free triggered by the HTML file below.

The "magic constant" 4294967295 is (2^32)-1, filling an entire 32 bit integer.
Steps To Reproduce1. Install / Build netsurf. Tested with framebuffer and gtk3 on Linux, for example the default netsurf packages on debian.

2. Create the file "test.html" containing an otherwise valid HTML file with `<table><th colspan="4294967295">` in its body.

3. Run `$ netsurf-fb -f ram file://$(pwd)/test.html`

===

Example HTML file:

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <table><th colspan="4294967295">
</body>
</html>
Additional InformationTested on 64-bit Debian and NixOS, on NetSurf 3.10 and 3.11.

Consequences on linux with glibc: Double free is caught by libc, killing the process with SIGABRT.

I have not tested the actual consequences on any other system.
TagsNo tags attached.
Fixed in CI build #6734
Reported in CI build #
URL of problem page
Attached Files

-Relationships
+Relationships

-Notes
Vincent Sanders

~0002451

Vincent Sanders (administrator)

we are failing to clamp these to the spec limits
https://html.spec.whatwg.org/multipage/tables.html#attr-tdth-rowspan
kinnison

~0002452

kinnison (administrator)

I have confirmed that this blows up for me, and am working on a fix.
kinnison

~0002453

kinnison (administrator)

We're now clamping rowspan and colspan according to HTML spec 4.9.11
+Notes

-Issue History
Date Modified Username Field Change
2024-05-26 21:48 Felix Albrigtsen New Issue
2024-05-27 09:22 Vincent Sanders Note Added: 0002451
2024-05-27 09:23 kinnison Assigned To => kinnison
2024-05-27 09:23 kinnison Status new => assigned
2024-05-27 09:37 kinnison Status assigned => confirmed
2024-05-27 09:37 kinnison Note Added: 0002452
2024-05-27 09:38 kinnison Status confirmed => resolved
2024-05-27 09:38 kinnison Resolution open => fixed
2024-05-27 09:38 kinnison Fixed in Version => 3.12
2024-05-27 09:38 kinnison Fixed in CI build # => 6734
2024-05-27 09:38 kinnison Note Added: 0002453
+Issue History