severity 493363 grave tags 493363 + patch quit Severity justification: This bug allocates memory in an infinite loop, which leads to the system near-freezing while thrashing, until the Xserver crashes. >From opening the attached minimal test case image in Konqueror, it's less than ten seconds before the system starts thrashing. In SVGAnimatedPointsImpl::parsePoints there's a for loop over an iterator. Each time through the loop takes two elements from the iterator, but only tests the exit condition once. A malformed SVG polygon with an odd number of coordinates will trigger the bug. A minimal test case is attached, as is a patch which will silently ignore such malformed polygons (while still rendering the rest of the SVG). Steve
Attachment:
ksvg_493363_minimal_testcase.svg
Description: image/svg
Sun Aug 3 18:26:12 BST 2008 Steve Cotton <steve@s.cotton.clara.co.uk>
* 493363 Check that there are an even number of elements in KSVG::SVGAnimatedPointsImpl::parsePoints
diff -rN -u old-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc new-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc
--- old-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc 2008-08-03 18:30:36.000000000 +0100
+++ new-kdegraphics-3.5.9/ksvg/impl/SVGAnimatedPointsImpl.cc 2008-08-03 18:30:37.000000000 +0100
@@ -79,6 +79,12 @@
_points = _points.simplifyWhiteSpace();
QStringList pointList = QStringList::split(' ', _points);
+
+ /* The list is of (x,y) pairs, so it must have an even
+ * number of elements. */
+ if (pointList.count() % 2)
+ return;
+
for(QStringList::Iterator it = pointList.begin(); it != pointList.end(); it++)
{
SVGPointImpl *point = SVGSVGElementImpl::createSVGPoint();