Bug#894595: function ​cr_sel_eng_get_matched_rulesets cause denial of service

2018-04-01 Thread Jin Huang 
Package: libcroco3
Version: 0.6.12-2
Severity: normal

Dear Maintainer,

The
​​
cr_sel_eng_get_matched_rulesets() function in cr-sel-eng.c can cause a
denial of service (infinite loop) via a crafted CSS file.

In the while loop(line 1378) of funtion cr_sel_eng_get_matched_rulesets(),
cr_sel_eng_get_matched_rulesets_real() will always return
"CR_OUTPUT_TOO_SHORT_ERROR" when parsing a malformed file, leading the
while loop run infinitely.

cr_sel_eng_get_matched_rulesets_real() returns  array of the ruleset
statements that matches the
given xml node, it's prototype is as below:

static enum CRStatus
cr_sel_eng_get_matched_rulesets_real (CRSelEng * a_this,
  CRStyleSheet * a_stylesheet,
  xmlNode * a_node,
  CRStatement ** a_rulesets,
  gulong * a_len)

 *@param a_sel_eng the current selection engine
 *@param a_node the xml node for which the request
 *is being made.
 *@param a_sel_list the list of selectors to perform the search in.
 *@param a_rulesets in/out parameter. A pointer to the
 *returned array of rulesets statements that match the xml node
 *given in parameter. The caller allocates the array before calling this
 *function.
 *@param a_len in/out parameter the length (in sizeof (#CRStatement*))
 *of the returned array.
 *(the length of a_rulesets, more precisely).
 *The caller must set it to the length of a_ruleset prior to calling this
 *function. In return, the function sets it to the length
 *(in sizeof (#CRStatement)) of the actually returned CRStatement array.
 *@return CR_OUTPUT_TOO_SHORT_ERROR if found more rulesets than the size
 *of the a_rulesets array. In this case, the first *a_len rulesets found
 *are put in a_rulesets, and a further call will return the following
 *ruleset(s) following the same principle.
 *@return CR_OK if all the rulesets found have been returned. In this
 *case, *a_len is set to the actual number of ruleset found.
 *@return CR_BAD_PARAM_ERROR in case any of the given parameter are
 *bad (e.g null pointer).
 *@return CR_ERROR if any other error occurred.
 */

 CR_OUTPUT_TOO_SHORT_ERROR is returned if found more rulesets than the size
of the a_rulesets array. In this case, the first *a_len rulesets found are
put in a_rulesets, and a further call will return the following ruleset(s)
following the same principle.

 However, if more than *a_len rulesets found , in a further call, the
"a_this", "a_stylesheet" and "a_node" parameter will not change. Besides,
the *a_len will always be 8 (see below) in this fuction ,thus results in
another  CR_OUTPUT_TOO_SHORT_ERROR, make the while loop run infinitely.

*a_len not changed in every call:

1355gulong tab_size = 0,
1356tab_len = 0,
1357index = 0;
1358gushort stmts_chunck_size = 8;  //stmts_chunck_size is a fixed
value

...

1375tab_size = stmts_chunck_size;
1376tab_len = tab_size; //tab_size ,tab_len and
stmts_chunck_size are equal(value is 8)
1377
1378while ((status = cr_sel_eng_get_matched_rulesets_real
1379(a_this, a_sheet, a_node, stmts_tab + index, _len))
1380   == CR_OUTPUT_TOO_SHORT_ERROR) {
1381stmts_tab = g_try_realloc (stmts_tab,
1382   (tab_size +
stmts_chunck_size)
1383   * sizeof (CRStatement *));
1384if (!stmts_tab) {
1385cr_utils_trace_info ("Out of memory");
1386status = CR_ERROR;
1387goto error;
1388}
1389tab_size += stmts_chunck_size;// tab_size always
incresed by 8
1390index += tab_len;
// index's initial value is 0, the first time index
incresed by 8
1391tab_len = tab_size - index;
/* tab_len will be 8 the first time,and causing index
always incresed by 8,
so in every loop ,tab_len is always 8, which will
pass to cr_sel_eng_get_matched_rulesets_real() in the further call.
So, in fuction
cr_sel_eng_get_matched_rulesets_real, *a_len will not changed
and always be 8.
*/
1392}



-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_HK.UTF-8, LC_CTYPE=en_HK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_HK:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libcroco3 depends on:
ii  libc6 2.24-11+deb9u3
ii  libglib2.0-0  2.50.3-2
ii  libxml2   2.9.4+dfsg1-2.2+deb9u2


--
 Jin Huang, ADLab of Venustech

Bug#894352: libcroco3: function cr_parser_parse_stylesheet() cause a DoS(denial of service)

2018-03-29 Thread Jin Huang 
Package: libcroco3
Version: 0.6.12-2
Severity: important

Dear Maintainer,

The cr_parser_parse_stylesheet() function in cr-parser.c can cause a denial
of service (infinite loop and CPU consumption) via a crafted CSS file.
Which can lead csslint-0.6 hangs forever.

$ csslint-0.6 cr-parser.c@@cr_parser_parse_import.css
  csslint will not return and the it's CPU consumption is 100%

The cause of this bug is that, the cr_parser_parse_stylesheet() function
called cr_parser_parse_media() cr_parser_parse_import() and
cr_parser_parse_ruleset() , but cr_parser_parse_media()
cr_parser_parse_import() and cr_parser_parse_ruleset() didn't return a
right status correctly while parsing malformed css file,thus making
cr_parser_parse_stylesheet() run in a infinite loop.



-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_HK.UTF-8, LC_CTYPE=en_HK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_HK:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libcroco3 depends on:
ii  libc6 2.24-11+deb9u3
ii  libglib2.0-0  2.50.3-2
ii  libxml2   2.9.4+dfsg1-2.2+deb9u2


--
 Jin Huang, ADLab of Venustech
@import
@mediaa
ia{s:x