New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 122 link

Starred by 16 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Sep 2008
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Chrome crashes on about:%

Reported by jandemo...@gmail.com, Sep 2 2008

Issue description

Product Version      : 0.2.149.27 (1583)
URLs (if applicable) : about:%
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 3:
Firefox 3:
IE 7:

What steps will reproduce the problem?
1. type about:% in the adressbar
2.
3.

What is the expected result?


What happens instead?


Please provide any additional information below. Attach a screenshot if 
possible.
 
 

Comment 1 by bac...@gmail.com, Sep 2 2008

Confirmed, it crashed the entire browser not only the tab.
Gears also crashes on the url test:%

Comment 3 by Deleted ...@, Sep 2 2008

Confirmed, browser crashed with message "Whoa! Google Chrome has crashed. Restart
now?". Also does the same thing if you type :% into the URL. You do not need to press
enter afterwards either. As soon as I enter % it crashes.

Win 2k3 R2
Confirmed

Comment 5 by trin...@gmail.com, Sep 2 2008

Confirmed.
Confirmed.
Another confirmation.

Pasting about:%% and variations does not cause a crash.  
Labels: -Pri-2 -Area-Unknown Pri-1 Area-BrowserUI
Status: Untriaged
I am able to repro this as well. Here is the call stack:

ChildEBP RetAddr  
0012e398 015e0f01 chrome_1000000!PureCall+0x3
[c:\b\slave\chrome-official\build\src\chrome\app\chrome_main.cc @ 89]
0012e3b0 0100829c chrome_1000000!_invalid_parameter_noinfo+0xc
[f:\sp\vctools\crt_bld\self_x86\crt\src\invarg.c @ 99]
0012e3b8 012a5a82
chrome_1000000!std::basic_string<char,std::char_traits<char>,std::allocator<char>
>::operator[]+0xd
[c:\b\slave\chrome-official\build\src\third_party\platformsdk_vista_6_0\files\vc\include\xstring
@ 1564]
0012e3dc 012a5c8f chrome_1000000!`anonymous namespace'::UnescapeURLImpl+0x63
[c:\b\slave\chrome-official\build\src\net\base\escape.cc @ 146]
0012e43c 015581d4 chrome_1000000!UnescapeAndDecodeURLComponent+0x3c
[c:\b\slave\chrome-official\build\src\net\base\escape.cc @ 250]
0012e488 01558319 chrome_1000000!gfx::AppendFormattedComponent+0x32
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 372]
0012e510 015571f9 chrome_1000000!gfx::GetCleanStringFromUrl+0x108
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 420]
0012eb7c 0116f406 chrome_1000000!gfx::ElideUrl+0x5d
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 298]
0012ebd4 011e7c60 chrome_1000000!AutocompleteProvider::StringForURLDisplay+0x71
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete.cc @ 411]
0012ed44 011e8a1d chrome_1000000!HistoryURLProvider::SuggestExactInput+0x133
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 256]
0012edc4 011e736f chrome_1000000!HistoryURLProvider::RunAutocompletePasses+0x5e
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 626]
0012edd4 0116fd69 chrome_1000000!HistoryURLProvider::Start+0x1c
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 79]
0012ee90 0125432e chrome_1000000!AutocompleteController::Start+0x6b
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete.cc @ 593]
0012ef30 011df29d chrome_1000000!AutocompletePopup::StartAutocomplete+0xc3
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_popup.cc
@ 294]
0012ef80 011de74f chrome_1000000!AutocompleteEdit::UpdatePopup+0xd1
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 2056]
0012efe0 011ddfad chrome_1000000!AutocompleteEdit::OnAfterPossibleChange+0x1da
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 1704]
0012eff8 011db466 chrome_1000000!AutocompleteEdit::HandleKeystroke+0x4c
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 1401]
0012f028 011e017a chrome_1000000!AutocompleteEdit::ProcessWindowMessage+0x6a
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.h
@ 302]
0012f078 7e418734
chrome_1000000!ATL::CWindowImplBaseT<WTL::CRichEditCtrlT<ATL::CWindow>,ATL::CWinTraits<1342177664,0>
>::WindowProc+0x42 [c:\program files\microsoft visual studio
8\vc\atlmfc\include\atlwin.h @ 3078]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f0a4 7e418816 USER32!GetDC+0x6d
0012f10c 7e41c63f USER32!GetDC+0x14f
0012f13c 7e41c665 USER32!IsWindowUnicode+0xa1
0012f15c 0156531a USER32!CallWindowProcW+0x1b
0012f218 7e418734 chrome_1000000!ChromeViews::FocusWindowCallback+0x112
[c:\b\slave\chrome-official\build\src\chrome\views\focus_manager.cc @ 212]
0012f244 7e418816 USER32!GetDC+0x6d
0012f2ac 7e4189cd USER32!GetDC+0x14f
0012f30c 7e418a10 USER32!GetWindowLongW+0x127
0012f31c 015628ff USER32!DispatchMessageW+0xf
0012f334 010092b2 chrome_1000000!ChromeViews::AcceleratorHandler::Dispatch+0x4a
[c:\b\slave\chrome-official\build\src\chrome\views\accelerator_handler.cc @ 58]
0012f34c 01008aab chrome_1000000!MessageLoop::ProcessMessageHelper+0x61
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 459]
0012f384 010089fc chrome_1000000!MessageLoop::RunTraditional+0x2b
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 242]
0012f438 01008938 chrome_1000000!MessageLoop::RunInternal+0xbc
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 228]
0012f478 0112f096 chrome_1000000!MessageLoop::RunHandler+0x5a
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 198]
0012f5dc 0100373d chrome_1000000!BrowserMain+0xb08
[c:\b\slave\chrome-official\build\src\chrome\browser\browser_main.cc @ 503]
0012f84c 00402837 chrome_1000000!ChromeMain+0x618
[c:\b\slave\chrome-official\build\src\chrome\app\chrome_main.cc @ 280]
0012fc84 00402bdb chrome!google_update::GoogleUpdateClient::Launch+0x11a
[c:\b\slave\chrome-official\build\src\chrome\app\google_update_client.cc @ 197]
0012ff28 00422981 chrome!wWinMain+0x158
[c:\b\slave\chrome-official\build\src\chrome\app\main.cc @ 96]
0012ffc0 7c816fd7 chrome!__tmainCRTStartup+0x176
[f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324]
0012fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49

(a50.62c): Break instruction exception - code 80000003 (!!! second chance !!!)
eax=01002ff0 ebx=0012e450 ecx=01002ff0 edx=7c90e4f4 esi=0012e450 edi=00000002
eip=01002ff3 esp=0012e398 ebp=0012e398 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00000206chrome_1000000+0x2ff3:
01002ff3 cc              int     3

disassembly

01002ff0 55              push    ebp
01002ff1 8bec            mov     ebp,esp
01002ff3 cc              int     3
01002ff4 5d              pop     ebp
01002ff5 c3              ret

looks like some debug assert

Comment 11 by cpu@chromium.org, Sep 3 2008

Unescaping has an out of bounds issue

    if (escaped_text[i] == '%' && i < max_digit_index) {
      const std::string::value_type most_sig_digit(escaped_text[i + 1]); <-- bang!
      const std::string::value_type least_sig_digit(escaped_text[i + 2]);

i+ 1 = 1 and the string is just "%"

Actually I am seeing a bunch of issues here.
Labels: Security
Labels: -Area-BrowserUI Area-BrowserBackend
Status: Assigned
This is a reproducible crash, but doesn't look exploitable.
If you create a hyperlink using about:% the browser crashes on mouse hover.
Labels: -Security
Removing security label, this is an unfortunate browser crash, but it shouldn't be 
exploitable beyond an annoyance.
Actually, this is the problem code:

  for (size_t i = 0, max = escaped_text.size(), max_digit_index = max - 2;
       i < max; ++i) {
    if (escaped_text[i] == '%' && i < max_digit_index) {

max_digit_index underflows, causing the 'i < max_digit_index' test to be true when it 
shouldn't.

  for (size_t i = 0, max = escaped_text.size(), max_digit_index = (max > 1 ? max - 2 
: 0);
       i < max; ++i) {
    if (escaped_text[i] == '%' && i < max_digit_index) {

Would work as far as I can see.

Comment 19 by Deleted ...@, Sep 3 2008

Having about:% in your clipboard and right-clicking the address bar will also cause Chrome to crash.

Comment 20 by Deleted ...@, Sep 3 2008

I can reproduce this.  It also makes chrome crash if you type "anything:%" so there's
definitely something wrong.
Confirmed.

Comment 22 by Deleted ...@, Sep 3 2008

reproduced on two differents laptops

Comment 23 by Deleted ...@, Sep 3 2008

Only happens when % is the first character after : which means about: % works just 
fine.

Comment 24 by Deleted ...@, Sep 3 2008

Confirmed too.
Status: Fixed
Date: Wed Sep  3 09:05:52 2008
New Revision: 1677

Log:
Fix an out of band read when parsing a URL component of just "%".  The calculation of 
max_digit_index is unsigned, and was underflowing when max was less than 2.

BUG= 122 

Modified:
  trunk/src/net/base/escape.cc
  trunk/src/net/base/escape_unittest.cc


I find it interesting that this takes down the whole browser if the whole premise of 
having a separate process for each tab is that a misbehaving tab wouldn't crash the 
whole application.

Can anyone explain why this is? Can it be more robust?
Confirmed, you can simply type :% and chrome crashes.
@togniolli: Good question, I'm interested to know about this as well!
"Time" can definitely plays a major role.  There was a collision that occurred due to
the fact that I took time to find the real break point in the code, search for a
template and to publish at EvilFingers site before sending it to Google and other
bugtraqs. 
Even though I had the vulnerability 4 hrs well before the real publication of the bug
and had the exploit along with the some crash details like "int 3" Kernel
Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and
further debug logs; there was this bug published (though without the details of
possible cases, exceptions and mouse hover techniques) couple of hours before I
released it out at EvilFingers.
So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the
bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr.
Brennan for contacting me about the same.

Comment 30 by Deleted ...@, Sep 4 2008

Confirmed.
Chrome: browser crash... go boom!
Firefox 3.0.1: no crash
IE: no crash
I can confirm this on windows xp sp3
Official Build 1583
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like 
Gecko) Chrome/0.2.149.27 Safari/525.13

but it simply crashes and does not even show any "whoa!"

Comment 33 by Deleted ...@, Sep 4 2008

At line 153 in url_utils.cc
http://code.google.com/p/gears/source/browse/trunk/gears/base/common/url_utils.cc

It looks this file has the same error.

Comment 34 by Deleted ...@, Sep 4 2008

Confirm.
I can confirm that by setting this as my home page URL and closing Chrome I have made
the application completely unusable.

Why did I do that.

Comment 36 by Deleted ...@, Sep 4 2008

Confirm.

Comment 37 by Deleted ...@, Sep 4 2008

Guys please stop confirming this. A fix is already committed.
msuiche: Thanks for noticing the other occurrence of this. I've alerted the gears 
folks.

Comment 39 by Deleted ...@, Sep 4 2008

Confirmed.

Comment 40 by Deleted ...@, Sep 4 2008

Confirmed.

Comment 41 by Deleted ...@, Sep 4 2008

Confirmed.

Comment 42 by Deleted ...@, Sep 4 2008

All other Explorer survived and did not crash link Chrome..
Firefox and IE7 gave bad URL error ..
I think we all now know that this bug is real and that other browsers don't have it.

The status has been already updated by the chrome-team ***and is obviously fixed***
in the current development SVN-version.

Please no more "Confirmed" messages, it messes up my e-mail account because I want to
get the real status updates.

Comment 44 by Deleted ...@, Sep 5 2008

Isn't there a way to close this thread, so people can't confirm it anymore?

Comment 45 Deleted

Comment 46 by Deleted ...@, Sep 5 2008

CONFIRMED

Comment 47 by *mdu@chromium.org, Sep 5 2008

Status: Verified
Verified in build 0.2.149.28, bug has been fixed.
Answering the question made by togniolli on comment 26, the whole browser crashes 
because URL parsing is shared by the 'rendering engine' and 'browser kernel'. 

You can confirm that on the following document:
The Security Architecture of Chromium  
Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team
Technical Report
The document is available here: http://crypto.stanford.edu/websec/chromium/

The information i mentioned can be found on page 4. 

I think that any issues related to url parsing and unicode parsing can cause a 
browser crash like this one.

Comment 49 by lost...@gmail.com, Sep 6 2008

I make several test a protocol handler level, and this issue affects multiple 
protocols:

data:%
disks:no
news:%
snews:%
ms:%
nntp: not afected.
mailto:%
radio:
vdm:%
javascript:%
vbscript:%

but this is not needed the protocol handler if we put in the url :% this crash the 
browser, and it´s non probable that any can be found a vector to attack protocols 
handlers , because it does not are in protocol level.

Comment 51 by Deleted ...@, Sep 8 2008

Doesn't crashes! no one of the regular browsers, FFOX 3.0, IE7 and Even Chrome

Comment 52 by Deleted ...@, Sep 9 2008

I could not find any problem when I typed about:% in the URL bar...
@sarangan12
that is because the issue has been fixed and pushed to users, so if your about:version shows 149.29 you are not 
affected anymore.
I just typed «:%» into the address bar of an empty tab, and the browser immediately 
crashed, but restarted automatically, and all tabs save the offending one could be 
restored. This in the CrossOver Chromium version of the browser, running on 64-bit 
Ubuntu Hardy....

Henri

Comment 55 by Deleted ...@, Sep 17 2008

Typing «:%» into the address bar resolved to: "http://xn--iba/" ???

Vista, 32 bit, Official Build 1798

Comment 56 by Deleted ...@, Nov 3 2008

problem in orkut....send to all script not working...in chrome.....
 Issue 1108  has been merged into this issue.
Labels: -Area-BrowserBackend Area-Internals
":%" and "about:%" have been fixed, likely awhile ago.
Chrome 9.0.576.0 WinVista.

":%" goes to the search page, "about:%" shows a blank page.
Project Member

Comment 60 by bugdroid1@chromium.org, Oct 12 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 61 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals Cr-Internals

Sign in to add a comment