Version: (using KDE 3.5.9) OS: Linux Installed from: Ubuntu Packages Using SVG and xlink, it is possible to craft graphics which are rendered in exponential time relative to their size. This makes it very easy to stall konqueror using only a tiny file. Additionally the SVG renderer seems to use exponential space too. This causes konqueror to allocate and use huge amounts of memory (on a 361 byte file.) Reproducible by visiting http://www.cs.vu.nl/~ejbosman/death.svgz or a similarly crafted svg file Actual Results: Konqueror stalls, allocates huge amounts of memory. After a while, my system (Ubuntu Hardy) starts thrashing (preventable using ulimit of course,) becomes extremely unresponsive. It is hard to see how someone unfamiliar with the command line or without patience would be able to recover without a hard reboot. Expected Results: Rendering should not block menus/other tabs, if rendering takes too long, a message like the one for slow javascript programs should ask the user whether to continue. Remarks: I reported a similar bug for firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=455100 The malicious SVG creates a huge tree of objects by recursively defining objects as groups of two links to the previous object.
Reproduced in konqueror 4.1.1 (and firefox 3 and opera). The program becomes irresponsible (it has to be killed), but the memory is not increased at fully speed like in ff3 and opera.
given link to problematic file is no longer valid. If you can provide the file and the crash with current KDE >= 4.6.3, please attach the file and reopen.
A copy of the original file can be found here: http://pizzadoos.com/death.svg as well as here https://bugzilla.mozilla.org/attachment.cgi?id=338418
Thanks! I can reproduce the problem with current KDE 4.6.3
Thank you for the crash report. As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved. I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
I don't use konqueror anymor, and since this bug is almost 12 years old, the old hosting location of my PoC is long gone. However, here are my PoCs: http://pizzadoos.com/death.svg [original] http://pizzadoos.com/death2.svg [some extra layers of recursion to account for increased memory]
If konqueror uses ksvg, okular or kate part, there is no problem at all. If konqueror uses khtml or webkit part, the problem is still there.
Dear user, KHTML (and KJS) was a long time more or less unmaintained and got removed in KF6. Please migrate to use a QWebEngine based HTML component. We will do no further fixes or improvements to the KF5 branches of these components beside important security fixes. For security issues, please see: https://kde.org/info/security/ Sorry that we did not fix this issue during the life-time of KHTML. Greetings Christoph Cullmann