Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Last visit > 30 days ago
Closed: Apr 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
Long autofilled value causes render issue
Reported by, Mar 15 2012 Back to list
Chrome Version       : 17.0.963.79 m
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. Enter a very long string into autofillable form field and submit form
2. Repeat process and choose very long value from drop down
3. You may need to focus on new field or effect may become immediately visible (see attached image)

What is the expected result?
- Drop down with value (truncated?)
- Form field filled with value, autofill drop down disappears

What happens instead?
- Drop down stretches across page
- When selected dropdown moves to below the address bar followed by a badly rendered portion of the page.

Please provide any additional information below. Attach a screenshot if

60.9 KB View Download
Comment 1 by, Mar 15 2012
Labels: Feature-Autofill
Labels: -Pri-2 -Area-Undefined -OS-Windows Pri-3 OS-All Area-UI Area-WebKit
Status: Available
Chris Sharp is currently working on moving the Autofill UI implementation out of WebKit and into Chromium proper.  If anyone wants to dig into the WebKit code and chase down this issue in the meantime, feel free to send me a patch for review :)  (I am not actually a WebKit reviewer yet; but if you send the patch my way, I'll make sure it finds a good reviewer.)
Comment 3 by, Mar 15 2012
Here's another screenshot if it helps...
98.1 KB View Download
Labels: Review-Security
inferno@: Could you please take a look.  The apparent memory smashes look disturbing.  Thanks.
Comment 5 by, Mar 16 2012
Labels: -Type-Bug -Review-Security Type-Security Restrict-View-SecurityTeam Mstone-18 SecImpacts-Stable SecImpacts-Beta SecSeverity-High
Has anyone tried this with an asan build? I suspect it will blow up like c4.
Unable to reproduce, testing with [ ] and "thisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringeh" as the field value...
Comment 7 by, Mar 17 2012
isherman: By chance, have you tried typing in something at like I repro'd at (maybe with a profile with long tree status messages)? I can't really understand why this would be different from any other test case you may have written (can't look at it right now), but maybe it will reproduce and you can work backwards? Also, I was using Goobuntu w/Gnome 2.6?
Ok, apparently my ludicrously wide string was not as wide as my ludicrously wide monitor.  Now bisecting...
Oddly, the most likely candidate for this bug is [ ], which purports to fix this very issue...
I guess a more accurate description might be that WebKit's r90119 did not fully fix the regression from [ ]
Comment 12 by, Mar 30 2012
Labels: -Mstone-18 Mstone-20
Comment 13 by, Mar 30 2012
Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Status: Assigned
Alexander, can you please help to fix this regression from your change in webkit r90119.
Status: Started
Fix landed upstream:
Waiting for the DEPS roll
Labels: Merge-Approved
Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam -SecSeverity-High -Mstone-18 -Merge-Approved Restrict-View-SecurityNotify SecSeverity-Medium Mstone-19 Merge-Merged

Looks more like a Medium to me; uninitialized memory as opposed to corrupting memory?
Fix caused regression so needs follow-up fix merged:

Duly merged to M19:
Labels: CVE-2011-3085
@psaldorn: We will credit you in our release notes. Is there any particular name and affiliation you'd like us to use?
Comment 23 by, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member Comment 24 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 25 by, Mar 10 2013
Labels: -Type-Security -Area-UI -Feature-Autofill -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium -Mstone-19 Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Cr-UI Cr-Content M-19 Type-Bug-Security Cr-UI-Browser-Autofill
Project Member Comment 26 by, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 27 by, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 29 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 30 by, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 31 by, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 32 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 33 by, Jun 14 2016
Labels: -security_impact-beta
Labels: reward-topanel
Project Member Comment 35 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 36 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0
I'm afraid the panel declined to reward for this bug as they judged it to be low severity.  Thanks for the report though!
Sign in to add a comment