Bug 1747514 - Ensure the expat sandbox is large enough to hold the base URI. r=shravanrn,deian

Differential Revision: https://phabricator.services.mozilla.com/D134653
2021-12-25 06:00:25 +00:00 · 2021-12-25 06:00:25 +00:00 · 42c90d1426
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@ -1528,9 +1528,20 @@ nsExpatDriver::WillBuildModel(const CParserContext& aParserContext,
    }
  }

+  mURISpec = aParserContext.mScanner->GetFilename();
+
  // Create sandbox
+  //
+  // We have to copy the base URI into the sandbox, and it can be arbitrarily
+  // long (e.g. data URIs). So make sure the sandbox is large enough. We
+  // unscientifically request the URI size plus two MB. Note that the parsing
+  // itself is chunked so as not to require a large sandbox.
+  uint64_t minSandboxSize =
+      mURISpec.Length() * sizeof(decltype(mURISpec)::char_type) +
+      (2 * 1024 * 1024);
  MOZ_ASSERT(!mSandboxPoolData);
-  mSandboxPoolData = RLBoxExpatSandboxPool::sSingleton->PopOrCreate();
+  mSandboxPoolData =
+      RLBoxExpatSandboxPool::sSingleton->PopOrCreate(minSandboxSize);
  NS_ENSURE_TRUE(mSandboxPoolData, NS_ERROR_OUT_OF_MEMORY);

  MOZ_ASSERT(SandboxData());
@ -1560,8 +1571,6 @@ nsExpatDriver::WillBuildModel(const CParserContext& aParserContext,
                    XML_PARAM_ENTITY_PARSING_ALWAYS);
 #endif

-  mURISpec = aParserContext.mScanner->GetFilename();
-
  const XML_Char* uriStr = mURISpec.get();
  auto uri = TransferBuffer<XML_Char>(Sandbox(), uriStr, mURISpec.Length() + 1);
  MOZ_RELEASE_ASSERT(*uri, "Sized sandbox for URI");
--- a/parser/htmlparser/tests/crashtests/1747514.html
+++ b/parser/htmlparser/tests/crashtests/1747514.html
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <script>
+    // Generate an SVG data URI whose URI string will consume 20 MB in expat
+    // (which uses two-byte chars).
+    let img = document.createElement('img');
+    let rect = "<rect />";
+    let src = "data:image/svg+xml;utf8,<svg>" + rect.repeat(20 * 1000 * 1000 / rect.length / 2) + "</svg>";
+    img.src = src;
+    document.body.appendChild(img);
+  </script>
+
--- a/parser/htmlparser/tests/crashtests/crashtests.list
+++ b/parser/htmlparser/tests/crashtests/crashtests.list
@ -63,3 +63,4 @@ load 1534346-1.html
 load 1604307-1.html
 load 1606499-1.html
 load 1547895-1.html
+load 1747514.html