Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Long autofilled value causes render issue
Reported by psald...@gmail.com, Mar 15 2012 Back to list
Chrome Version       : 17.0.963.79 m
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. Enter a very long string into autofillable form field and submit form
2. Repeat process and choose very long value from drop down
3. You may need to focus on new field or effect may become immediately visible (see attached image)

What is the expected result?
- Drop down with value (truncated?)
- Form field filled with value, autofill drop down disappears

What happens instead?
- Drop down stretches across page
- When selected dropdown moves to below the address bar followed by a badly rendered portion of the page.

Please provide any additional information below. Attach a screenshot if
possible.



 
chromebug.png
60.9 KB View Download
Comment 1 by tkent@chromium.org, Mar 15 2012
Labels: Feature-Autofill
Cc: csharp@chromium.org dbeam@chromium.org
Labels: -Pri-2 -Area-Undefined -OS-Windows Pri-3 OS-All Area-UI Area-WebKit
Status: Available
Chris Sharp is currently working on moving the Autofill UI implementation out of WebKit and into Chromium proper.  If anyone wants to dig into the WebKit code and chase down this issue in the meantime, feel free to send me a patch for review :)  (I am not actually a WebKit reviewer yet; but if you send the patch my way, I'll make sure it finds a good reviewer.)
Comment 3 by dbeam@chromium.org, Mar 15 2012
Here's another screenshot if it helps...
autofill_bug.png
98.1 KB View Download
Cc: infe...@chromium.org
Labels: Review-Security
inferno@: Could you please take a look.  The apparent memory smashes look disturbing.  Thanks.
Comment 5 by cdn@chromium.org, Mar 16 2012
Labels: -Type-Bug -Review-Security Type-Security Restrict-View-SecurityTeam Mstone-18 SecImpacts-Stable SecImpacts-Beta SecSeverity-High
Has anyone tried this with an asan build? I suspect it will blow up like c4.
Unable to reproduce, testing with [ https://www.corp.google.com/~isherman/no_crawl/autofill/autocomplete.html ] and "thisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringehthisisasuperlongstringeh" as the field value...
Comment 7 by dbeam@chromium.org, Mar 17 2012
isherman: By chance, have you tried typing in something at chromium-status.appspot.com like I repro'd at (maybe with a profile with long tree status messages)? I can't really understand why this would be different from any other test case you may have written (can't look at it right now), but maybe it will reproduce and you can work backwards? Also, I was using Goobuntu w/Gnome 2.6?
Ok, apparently my ludicrously wide string was not as wide as my ludicrously wide monitor.  Now bisecting...
Cc: apavlov@chromium.org
Oddly, the most likely candidate for this bug is [ http://trac.webkit.org/changeset/90119/trunk ], which purports to fix this very issue...
I guess a more accurate description might be that WebKit's r90119 did not fully fix the regression from [ https://bugs.webkit.org/show_bug.cgi?id=63438 ]
Comment 12 by kareng@google.com, Mar 30 2012
Labels: -Mstone-18 Mstone-20
Comment 13 by kareng@google.com, Mar 30 2012
Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Cc: -apavlov@chromium.org tkent@chromium.org
Owner: apavlov@chromium.org
Status: Assigned
Alexander, can you please help to fix this regression from your change in webkit r90119.
Status: Started
Fix landed upstream: http://trac.webkit.org/changeset/113418
Waiting for the DEPS roll
Labels: Merge-Approved
Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam -SecSeverity-High -Mstone-18 -Merge-Approved Restrict-View-SecurityNotify SecSeverity-Medium Mstone-19 Merge-Merged
M19: http://trac.webkit.org/changeset/115618

Looks more like a Medium to me; uninitialized memory as opposed to corrupting memory?
Fix caused regression so needs follow-up fix merged: https://trac.webkit.org/changeset/114513

Duly merged to M19: https://trac.webkit.org/changeset/115664
Labels: CVE-2011-3085
@psaldorn: We will credit you in our release notes. Is there any particular name and affiliation you'd like us to use?
Comment 23 by cdn@chromium.org, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member Comment 24 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-UI -Feature-Autofill -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium -Mstone-19 Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Cr-UI Cr-Content M-19 Type-Bug-Security Cr-UI-Browser-Autofill
Project Member Comment 26 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 27 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 31 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 32 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 33 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Labels: reward-topanel
Project Member Comment 35 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 36 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0
I'm afraid the panel declined to reward for this bug as they judged it to be low severity.  Thanks for the report though!
Sign in to add a comment