Bug 85095 - Bitmap with invalid size parameters causes konqueor to expend system memory
Summary: Bitmap with invalid size parameters causes konqueor to expend system memory
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Mandrake RPMs Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-13 16:13 UTC by Ryan Patterson
Modified: 2008-08-24 18:30 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Patterson 2004-07-13 16:13:39 UTC
Version:           3.2.0 (using KDE KDE 3.2.3)
Installed from:    Mandrake RPMs
Compiler:          gcc 3.3.2 
OS:                Linux

http://www.securitytracker.com/alerts/2004/Apr/1009746.html

According to the report, the target user's Internet Explorer (and Konqueror) browser will allocate memory for the bitmap file based on the user-supplied image size in the bitmap file. A 58 byte bitmap can reportedly cause up to 51,539,607,528 bytes of memory to be allocated on the target user's system. The vulnerability can reportedly be triggered via HTML that references an affected bitmap file. A demonstration exploit is available at: http://www.4rman.com/exploits/tinybmp.htm

Visiting that URL from konqueror crashes it. Note that visiting the problem bitmap file, http://www.4rman.com/exploits/little2.bmp will also crash konqueror. The image specifies its size as 1114111 x 121. Interestingly, http://www.4rman.com/exploits/little.bmp will not crash konqueror, and it specifies its size as 1114111 x 202.
Comment 1 lexual 2004-11-26 07:25:03 UTC
I got a crash running kde 3.3.1 visiting:
http://www.4rman.com/exploits/tinybmp.htm

I didn't get a chance to save a backtrace because crash-reporter thing didn't show up. [I do have debug stuff enabled and have made other backtraces this afternoon].

no crashes for visiting either *.bmp sites but I don't have kdegraphics installed and have no idea if that makes any differences.
It eats 100% CPU cycles, ram and swap space and then crashes.
Comment 2 lexual 2005-04-20 03:04:01 UTC
The *.bmp files wouldn't crash konqueror here, 3.4.0.
But the tinybmp.htm did crash konqueror, and once again I couldn't get a backtrace because I wasn't given the option despite having made backtraces earlier on for this session.
Comment 3 Andrew Fuller 2005-07-09 17:48:45 UTC
I can confirm this bug with kdelibs & kdebase compiled from SVN  (version:   3.4.89 (>= 20050615) )  I didn't wait long enough for a crash, I just saw it suck the rest of my RAM as quickly as possible on my machine and then work my HDD to the ground with all the swap access before killing it myself to get a responsive desktop back.

A full 20 votes for this bug, because my biggest (only?) beef with Konqueror is the RAM it takes up if I don't close it every couple days, and I suspect this bug could have something to do with it, or may reveal the true cause when this is investigated.
Comment 4 Lyle Sigurdson 2006-10-21 14:35:25 UTC
I can confirm this with konqueror 3.5.4 from slackware 11.0 packages.
Comment 5 Jaime Torres 2008-05-22 17:24:05 UTC
The original site is no longer active, it can be tested from now on at:

http://web.archive.org/web/20040416105100/http://www.4rman.com/exploits/tinybmp.htm

Comment 6 Jaime Torres 2008-07-26 12:57:22 UTC
It does not uses exceptional memory, neither crash in 4.1.60 svn trunk 831729
Comment 7 Dominik Tritscher 2008-08-24 18:30:22 UTC
Can't reproduce too, so I close this bug.