New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 101010 link

Starred by 1 user

Issue metadata

Status: Fixed
Email to this user bounced
Closed: Oct 2011
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Security: css/CSSParser.cpp memory corruption bug

Reported by, Oct 20 2011

Issue description

date: 16 Oct 2011
version: the lastest chrome version in cvs
target: chromium
filename: css/CSSParser.cpp
bug type: unbound memory access
process layer: the renderer process
function: CSSParser::addProperty(int propId, PassRefPtr<CSSValue> value, bool important)

void CSSParser::addProperty(int propId, PassRefPtr<CSSValue> value, bool important)
    OwnPtr<CSSProperty> prop(new CSSProperty(propId, value, important, m_currentShorthand, m_implicitShorthand));
    if (m_numParsedProperties >= m_maxParsedProperties) {
        m_maxParsedProperties += 32; // @1
        if (m_maxParsedProperties > UINT_MAX / sizeof(CSSProperty*)) // @2
        m_parsedProperties = static_cast<CSSProperty**>(fastRealloc(m_parsedProperties,
            m_maxParsedProperties * sizeof(CSSProperty*)));
    m_parsedProperties[m_numParsedProperties++] = prop.leakPtr(); // @3

@2, the code prevents from overflowing. But as you can see @1, m_maxParsedProperties can be added, if m_numParsedProperties is bigger or same. So, if we call a lot addProperty(), it will be checked by @2, but once it'll bypass @2 as m_maxParsedProperties will be overflowed. Then, we can manipulate unbound memory area at @3.

[PROBLEM]: Even though i could't make any crash yet. With some reasons, I don't have my computer to test this bug yet. I can't install chromium in my school's desktop. However I believe this is a memory corruption bug. But i have to say it's hard to trigger this bug since we need to hit the routine for almost (0xffffffff/32). It would take a lot of time and system resources. I don't think this bug is useful in the real world, but still can be named as a security bug.

Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]


Comment 1 by, Oct 20 2011

Labels: Mstone-17 SecSeverity-Medium
Upstreamed as
sorry i can't see the link, as i'm not authorized. i wonder if my bug is confirmed. thank you.

Comment 3 by, Oct 22 2011

Labels: -SecSeverity-Medium
The link is the upstream WebKit report; if you have a WebKit bugzilla account you can be added to the CC. At the moment the report is unconfirmed, so we can't estimate impact. If you provide a repro case that triggers the code we could proceed much more quickly.
Labels: -Mstone-17 Mstone-15 SecSeverity-High OS-Linux reward-topanel
Status: Assigned
There is no integer overflow risk here. The buffer is only extended linearly, by 32 elements at a time. Since sizeof(void*) == 4 on 32-bit or 8 on 64-bit, the allocation will either fail (32-bit) or the UINT_MAX/sizeof(CSSProperty*) check will trip (64-bit) long before the 32-bit "m_maxParsedProperties" value overflows.

There is however a buffer overflow risk here: when the condition hits and the "return" is executed, "m_maxParsedProperties += 32;" will have executed without a corresponding realloc() to resize the buffer. I believe this might be exploitable for a heap overflow on our 64-bit Linux platform, if the user has a _lot_ of physical memory.

Yeah, I didn't say about the realloc() because it was obvious. Also I'm stuck at installing chrome in my machine as it doesn't have enough RAM and HDD. Sorry for not giving a repro case. :(
What machine do you have, how much RAM / HDD?! :P
hehe right, i need to buy a new one soon. when i tried to compile the chromium, it always says errors because of out of memory... :( btw, seems i still don't have access to i signed up, tho. my id is on the webkig site. thanks.

Comment 9 Deleted

Labels: -Restrict-View-SecurityTeam -Mstone-15 -SecSeverity-High Restrict-View-SecurityNotify Mstone-17 SecSeverity-Medium
Status: FixUnreleased
Committed r98374: <>

I'm downgrading the severity due to the preconditions of mapping 4GB of _pointers_ to objects so a ridiculous amount of memory would be needed for the objects themselves.

@hashcollisions: under what name would you like to be credited in our eventual release notes?
awesome, can i have "Chu"? :) 
Labels: -Pri-0 -Area-Undefined -Mstone-17 Pri-2 Area-WebKit Mstone-15 SecImpacts-Stable SecImpacts-Beta
Labels: -Mstone-15 Mstone-16 Merge-Approved
@jschuh: I don't think this is worth merging to M15 but it's so simple that M16 is a no-brainer. Setting Mstone-16, Merge-Approved.
Labels: -Merge-Approved Merge-Merged
Merged to M16:
Labels: -reward-topanel
@hashcollisions: thanks again for the report. The rewards panel decided not to reward this for a couple of reasons:
- The report was slightly misdiagnosed (there is a memory corruption but it does not involve triggering an integer overflow to hit it)
- The issue isn't exploitable on 32-bit systems.
- The issue is believe to be unrealistic to exploit on 64-bit systems.

Of course, we'll still credit you by name in our Chrome 16 release notes.

Comment 17 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 18 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 19 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Mstone-16 -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-16
Project Member

Comment 20 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 21 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 23 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 25 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 26 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 27 by, Jun 14 2016

Labels: -security_impact-beta
Labels: reward-topanel
Project Member

Comment 29 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 30 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0

Sign in to add a comment