New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 106413: Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine

Reported by infe...@chromium.org, Dec 5 2011 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=2510289

Fuzzer: Marty_html_twiddler

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f2b57bd6cb8
Crash State:
  - crash stack -
  WebCore::RenderBoxModelObject::hasSelfPaintingLayer
  WebCore::RenderBlock::addOverhangingFloats
  - free stack -
  WebCore::Node::detach
  WebCore::Element::detach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=110350:110431

Minimized Testcase (2.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97EGS1qsk2arR4HCJq3rYzOvR4BvBxqLvou8CyXyfrokA1DmTS-ccJZu38OYv-AgdYRfs3kIhxI-yUw6F6DqhmPrujnq48Z45tRgOpkRsNJ_FPlAoGf-1Yzh8iYIlL2QScPh4Enfgbi514yv_XbjblxAXIOLw
 

Comment 2 by jsc...@chromium.org, Dec 13 2011

Labels: -SecImpacts-None SecImpacts-Beta
Bulk edit for pending m17 beta release.

Comment 3 by infe...@chromium.org, Dec 16 2011

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4741649

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f4b0dffe0b8
Crash State:
  - crash stack -
  WebCore::RenderBoxModelObject::hasSelfPaintingLayer
  WebCore::RenderBlock::addOverhangingFloats
  - free stack -
  WebCore::Node::detach
  WebCore::Element::detach
  

Minimized Testcase (2.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96AYa0983Om-v8B_IE1MR0Blkv1iLXyZ_H4KO3d4KElNzmndpSDssQyfXbpnB8ttjpJ3lurF96nbcHJidj4rrfvqoyMfoI-9f3czf3f2yT73iWpPYBVsiWBa56Hb5gb6Cau4Rzl2rljP9rX1RFGR7FbednSiQ

Comment 4 by infe...@chromium.org, Dec 26 2011

Labels: -Mstone-17 Mstone-16 SecImpacts-Stable

Comment 5 by infe...@chromium.org, Jan 17 2012

This is not fixed by Robert's fix in http://trac.webkit.org/changeset/105120.

Comment 6 by infe...@chromium.org, Jan 23 2012

Labels: -Mstone-16 Mstone-17
The last M16 patch is already gone. Mass-updating all of these to M17

Comment 7 by skylined@chromium.org, Feb 1 2012

 Issue 112136  has been merged into this issue.

Comment 8 by kenrb@chromium.org, Feb 1 2012

here's a link to miaubiz' test case from 112136: https://cluster-fuzz.appspot.com/testcase?key=17424502

Comment 9 by infe...@chromium.org, Feb 1 2012

Cc: miau...@gmail.com

Comment 10 by infe...@chromium.org, Feb 4 2012

Cc: jam...@chromium.org jchaffraix@chromium.org
attaching patch using my left hand, someone needs to help through review, layouttest. this fixes both mine and miaubiz testcase.
fix
765 bytes View Download

Comment 11 by kenrb@google.com, Feb 17 2012

Owner: kenrb@chromium.org
Status: Started

Comment 12 by kenrb@google.com, Feb 17 2012

 Issue 112438  has been merged into this issue.

Comment 13 by infe...@chromium.org, Mar 9 2012

 Issue 117577  has been merged into this issue.

Comment 14 by infe...@chromium.org, Mar 12 2012

Summary: Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=25009803

Fuzzer: Marty_html_twiddler

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x7f02ca06b4b0
Crash State:
  - crash stack -
  WebCore::RenderBlock::checkFloatsInCleanLine
  WebCore::RenderBlock::determineEndPosition
  - free stack -
  WebCore::Node::detach
  WebCore::Element::detach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=110080:110106

Minimized Testcase (6.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96HnvSVa_zAZymgO5gBeRwxKg4LOC37SWD4XIB6bWH7OwFrPkycrBGFuCveyqs8naYjVEJ3Vn3MvNTOQK3uHUQGfrgvhq1CLcibrVVUPgaZ8ggVqRUKO6ta6aCzUJfYdV2v78-3_XpdbsfJQVSnla9b7PQctA

Comment 15 by infe...@chromium.org, Mar 29 2012

Labels: -Mstone-17 Mstone-18
Updating milestone. m18 is already out.

Comment 16 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 17 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18

Comment 18 by infe...@chromium.org, Mar 30 2012

Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.

Comment 19 by kenrb@chromium.org, Apr 2 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Committed r112935: <http://trac.webkit.org/changeset/112935>

Comment 20 by infe...@chromium.org, Apr 2 2012

Labels: Merge-Approved

Comment 21 by scarybea...@gmail.com, Apr 22 2012

Comment 22 by scarybea...@gmail.com, Apr 23 2012

M19 compile fix from Abhishek at r114916
Reverted from M18 at r114853

Comment 23 by scarybea...@gmail.com, Apr 23 2012

Remerged to M18 with MOAR COMPILE WIN

M18: http://trac.webkit.org/changeset/114940

Comment 24 by infe...@chromium.org, Apr 24 2012

Labels: CVE-2011-3078

Comment 25 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 26 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 27 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -Type-Security -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Beta -SecImpacts-Stable -Mstone-18 Cr-Content Security-Impact-Beta Type-Bug-Security M-18 Security-Severity-High Security-Impact-Stable Performance-Memory-AddressSanitizer

Comment 28 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 29 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 30 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 31 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 32 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 34 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 35 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 36 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 37 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 39 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 40 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment