mailing list archives
Re: remote DoS in Mozilla 1.0
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 11 Jun 2002 16:44:04 +0200
Stijn Jonker wrote:
Is this really a mozilla bug?
No, because try and font of the size 1666666px in gimp on the same
system, the symptoms and the end effect is exactly the same here.
(a) Fix every app to disallow font sizes bigger then <maxvalue>
(b) Fix XFS to return an error code to the calling application
when requested font size is greater then configured <maxvalue>
Personally i would go for b.
Just my $0.02, but if you disagree please let me know.
There's a world of difference between gimp and netscape.
Fixing XFS is indeed a good idea, but I submit that it is also a very
good idea to put a cap on font sizes in mozilla, and indeed anything
else that accepts font rendering information from external sources.
After all, mozilla runs on dozens of platforms, on different X servers.
Mozilla is what is causing the vulnerability (gimp isn't). Indeed, XFS
should be fixed, but from an overall vulnerability perspective, I'm
quite convinced mozilla should be fixed too. People upgrade mozilla
a _lot_ more often than they upgrade their X font servers.
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"