New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 144799: Heap-double-free in xmlFreeNodeList

Reported by aarya@google.com, Aug 25 2012 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=99300377

Fuzzer: Cris_inferno_crash_url

Crash Type: Heap-double-free
Crash Address: 0x7f4056823980
Crash State:
  - crash stack -
  xmlFreeNodeList
  xmlFreeProp
  - free stack -
  xmlFreeNodeList
  xmlFreeProp
  

Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94t55SelxuQhysIrhDFVTMJhQ_FSBHXfc9emCPvmUwltAw7I1Esl_QyIQJVyM_9Qz0CeaKu3KVhk6q6Rt0yksPgyKgRGPd_Vu7nJTSP231zaLOEHzOlb3cVMmVPc88SC1XBaPGaoi5irxUjEXyv7S78_lnqdruuTYENJfW-erpF0OvkpRA
 

Comment 1 by infe...@chromium.org, Aug 25 2012

005oxidierbarkeit_prim_sek_ter_alkohole.xml
11.4 KB Download

Comment 2 by infe...@chromium.org, Aug 25 2012

Cc: veill...@gmail.com

Comment 3 by scarybea...@gmail.com, Aug 25 2012

Owner: cevans@chromium.org
Status: Assigned
Wow... a real web page hitting a real crash.

Comment 4 by scarybea...@gmail.com, Aug 25 2012

Attaching the all-import XSL too for posterity :)
test_html_mit_xml.xsl
5.3 KB View Download

Comment 5 by veill...@gmail.com, Aug 25 2012

Ahum, what is the problem exactly ?

thinkpad:~/XSLT -> valgrind xsltproc/xsltproc -o result  test_html_mit_xml.xsl 005oxidierbarkeit_prim_sek_ter_alkohole.xml
thinkpad:~/XSLT -> valgrind /usr/bin/xsltproc -o result  test_html_mit_xml.xsl 005oxidierbarkeit_prim_sek_ter_alkohole.xml
thinkpad:~/XSLT -> 

Either the problem is solved in recent libxml2 or I don't get the right data, or ...?

BTW I can't access  https://cluster-fuzz.appspot.com/ apparently, so I have
really no clue of what I should look for,

  help please :-)

Daniel

Comment 6 by infe...@chromium.org, Aug 25 2012

Bug can be reproduced in Chrome by visiting http://www.chids.de/dachs/experimente/005oxidierbarkeit_prim_sek_ter_alkohole.xml. it might be a bug in our implementation(XSLTProcessor::transformToString) too. see stack below. 

+----------------------------------------Debug Build Stacktrace----------------------------------------+

/mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-153377/chrome --no-first-run --no-sandbox --disable-gpu --disable-gpu-plugin --disable-gpu-rendering --disable-accelerated-compositing --disable-webgl --disable-accelerated-2d-canvas --user-data-dir=/mnt/scratch0/tmp/user_profile_chrome_0

[17662:17662:2191769900588:WARNING:zygote_host_impl_linux.cc(146)] Running without the SUID sandbox! See http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
LaunchProcess: failed to execvp:
/mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-153377/nacl_helper_bootstrap
[17702:17702:2191770977537:ERROR:nacl_fork_delegate_linux.cc(107)] Bad NaCl helper startup ack (0 bytes)
[17722:17722:2191785497002:ERROR:renderer_main.cc(214)] Running without renderer sandbox
[17662:17662:2191801929739:INFO:CONSOLE(1)] "Document is empty
", source: file:///etc/xml/catalog (1)
[17662:17662:2191801931372:INFO:CONSOLE(1)] "Start tag expected, < not found
", source: file:///etc/xml/catalog (1)
[17662:17662:2191801949994:INFO:CONSOLE(27)] "Entity auml not defined
", source: http://www.chids.de/dachs/experimente/test_html_mit_xml.xsl (27)
[17662:17662:2191801950605:INFO:CONSOLE(37)] "Entity ouml not defined
", source: http://www.chids.de/dachs/experimente/test_html_mit_xml.xsl (37)
[17662:17662:2191801951073:INFO:CONSOLE(37)] "Entity ouml not defined
", source: http://www.chids.de/dachs/experimente/test_html_mit_xml.xsl (37)
[17662:17662:2191801951508:INFO:CONSOLE(76)] "Entity auml not defined
", source: http://www.chids.de/dachs/experimente/test_html_mit_xml.xsl (76)
=================================================================
==17722== ERROR: AddressSanitizer attempting double-free on 0x7fabb097db80:
    #0 0x7fac234dad00 in __interceptor_free 
    #1 0x7fabe79c0730 in xmlFreeNodeList third_party/libxml/src/tree.c:3623
    #2 0x7fabe79d58cd in xmlFreeProp third_party/libxml/src/tree.c:2041
    #3 0x7fabe79d5236 in xmlFreePropList third_party/libxml/src/tree.c:2016
    #4 0x7fabe79c0263 in xmlFreeNodeList third_party/libxml/src/tree.c:3617
    #5 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #6 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #7 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #8 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #9 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #10 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #11 0x7fabe79be963 in xmlFreeDoc third_party/libxml/src/tree.c:1224
    #12 0x7fabe829cdba in xsltFreeStylesheet third_party/libxslt/libxslt/xslt.c:1017
    #13 0x7fabeee33c30 in WebCore::XSLTProcessor::transformToString(WebCore::Node*, WTF::String&, WTF::String&, WTF::String&) third_party/WebKit/Source/WebCore/xml/XSLTProcessorLibxslt.cpp:368
    #14 0x7fabe885268a in WebCore::Document::applyXSLTransform(WebCore::ProcessingInstruction*) third_party/WebKit/Source/WebCore/dom/Document.cpp:4649
    #15 0x7fabe885100e in WebCore::Document::collectActiveStylesheets(WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>, 0ul>&) third_party/WebKit/Source/WebCore/dom/Document.cpp:3469
    #16 0x7fabe8834421 in WebCore::Document::updateActiveStylesheets(WebCore::StyleResolverUpdateFlag) third_party/WebKit/Source/WebCore/dom/Document.cpp:3654
    #17 0x7fabe8825331 in WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) third_party/WebKit/Source/WebCore/dom/Document.cpp:3374
    #18 0x7fabe884f4eb in WebCore::Document::didRemoveAllPendingStylesheet() third_party/WebKit/Source/WebCore/dom/Document.cpp:3344
    #19 0x7fabe884f2f9 in WebCore::Document::removePendingSheet(WebCore::Document::RemovePendingSheetNotificationType) third_party/WebKit/Source/WebCore/dom/Document.cpp:3337
    #20 0x7fabe8dccb5a in WebCore::ProcessingInstruction::sheetLoaded() third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:201
    #21 0x7fabeee211e2 in WebCore::XSLStyleSheet::checkLoaded() third_party/WebKit/Source/WebCore/xml/XSLStyleSheetLibxslt.cpp:110
    #22 0x7fabe8dcdbf8 in WebCore::ProcessingInstruction::parseStyleSheet(WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:260
    #23 0x7fabe8dce095 in WebCore::ProcessingInstruction::setXSLStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:237
    #24 0x7fabe8dce1ae in non-virtual thunk to WebCore::ProcessingInstruction::setXSLStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:237
    #25 0x7fabee55da15 in WebCore::CachedXSLStyleSheet::checkNotify() third_party/WebKit/Source/WebCore/loader/cache/CachedXSLStyleSheet.cpp:89
    #26 0x7fabee55d71a in WebCore::CachedXSLStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) third_party/WebKit/Source/WebCore/loader/cache/CachedXSLStyleSheet.cpp:79
    #27 0x7fabee3e392d in WebCore::SubresourceLoader::didFinishLoading(double) third_party/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:298
    #28 0x7fabee3c7387 in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:441
    #29 0x7fabeb644232 in WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader*, double) third_party/WebKit/Source/WebCore/platform/network/chromium/ResourceHandle.cpp:157
0x7fabb097db80 is located 0 bytes inside of 26-byte region [0x7fabb097db80,0x7fabb097db9a)
freed by thread T0 here:
    #0 0x7fac234dad00 in __interceptor_free 
    #1 0x7fabe79c0730 in xmlFreeNodeList third_party/libxml/src/tree.c:3623
    #2 0x7fabe79d58cd in xmlFreeProp third_party/libxml/src/tree.c:2041
    #3 0x7fabe79d5236 in xmlFreePropList third_party/libxml/src/tree.c:2016
    #4 0x7fabe79c0263 in xmlFreeNodeList third_party/libxml/src/tree.c:3617
    #5 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #6 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #7 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #8 0x7fabe79bffb2 in xmlFreeNodeList third_party/libxml/src/tree.c:3612
    #9 0x7fabe79be963 in xmlFreeDoc third_party/libxml/src/tree.c:1224
    #10 0x7fabeee33b51 in WebCore::XSLTProcessor::transformToString(WebCore::Node*, WTF::String&, WTF::String&, WTF::String&) third_party/WebKit/Source/WebCore/xml/XSLTProcessorLibxslt.cpp:363
    #11 0x7fabe885268a in WebCore::Document::applyXSLTransform(WebCore::ProcessingInstruction*) third_party/WebKit/Source/WebCore/dom/Document.cpp:4649
    #12 0x7fabe885100e in WebCore::Document::collectActiveStylesheets(WTF::Vector<WTF::RefPtr<WebCore::StyleSheet>, 0ul>&) third_party/WebKit/Source/WebCore/dom/Document.cpp:3469
    #13 0x7fabe8834421 in WebCore::Document::updateActiveStylesheets(WebCore::StyleResolverUpdateFlag) third_party/WebKit/Source/WebCore/dom/Document.cpp:3654
    #14 0x7fabe8825331 in WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) third_party/WebKit/Source/WebCore/dom/Document.cpp:3374
    #15 0x7fabe884f4eb in WebCore::Document::didRemoveAllPendingStylesheet() third_party/WebKit/Source/WebCore/dom/Document.cpp:3344
    #16 0x7fabe884f2f9 in WebCore::Document::removePendingSheet(WebCore::Document::RemovePendingSheetNotificationType) third_party/WebKit/Source/WebCore/dom/Document.cpp:3337
    #17 0x7fabe8dccb5a in WebCore::ProcessingInstruction::sheetLoaded() third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:201
    #18 0x7fabeee211e2 in WebCore::XSLStyleSheet::checkLoaded() third_party/WebKit/Source/WebCore/xml/XSLStyleSheetLibxslt.cpp:110
    #19 0x7fabe8dcdbf8 in WebCore::ProcessingInstruction::parseStyleSheet(WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:260
    #20 0x7fabe8dce095 in WebCore::ProcessingInstruction::setXSLStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:237
    #21 0x7fabe8dce1ae in non-virtual thunk to WebCore::ProcessingInstruction::setXSLStyleSheet(WTF::String const&, WebCore::KURL const&, WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:237
    #22 0x7fabee55da15 in WebCore::CachedXSLStyleSheet::checkNotify() third_party/WebKit/Source/WebCore/loader/cache/CachedXSLStyleSheet.cpp:89
    #23 0x7fabee55d71a in WebCore::CachedXSLStyleSheet::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) third_party/WebKit/Source/WebCore/loader/cache/CachedXSLStyleSheet.cpp:79
    #24 0x7fabee3e392d in WebCore::SubresourceLoader::didFinishLoading(double) third_party/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:298
    #25 0x7fabee3c7387 in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:441
    #26 0x7fabeb644231 in WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader*, double) third_party/WebKit/Source/WebCore/platform/network/chromium/ResourceHandle.cpp:156
    #27 0x7fac01410b26 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) webkit/glue/weburlloader_impl.cc:669
    #28 0x7fac0684b7a2 in content::ResourceDispatcher::OnRequestComplete(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) content/common/resource_dispatcher.cc:432
    #29 0x7fac068578f5 in void DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&), int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::TimeTicks>(content::ResourceDispatcher*, void (content::ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&), Tuple4<int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::TimeTicks> const&) ./base/tuple.h:566
previously allocated by thread T0 here:
    #0 0x7fac234dadc0 in __interceptor_malloc 
    #1 0x7fabe75a9345 in size_checked_malloc third_party/libxml/src/globals.c:97
    #2 0x7fabe7f29ea5 in xmlStrndup third_party/libxml/src/xmlstring.c:45
    #3 0x7fabe797852d in xmlSAX2TextNode third_party/libxml/src/SAX2.c:1860
    #4 0x7fabe796f190 in xmlSAX2AttributeNs third_party/libxml/src/SAX2.c:2014
    #5 0x7fabe796c008 in xmlSAX2StartElementNs third_party/libxml/src/SAX2.c:2313
    #6 0x7fabe777e5bb in xmlParseStartTag2 third_party/libxml/src/parser.c:9119
    #7 0x7fabe776ea9d in xmlParseElement third_party/libxml/src/parser.c:9466
    #8 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #9 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #10 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #11 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #12 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #13 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #14 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #15 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #16 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #17 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #18 0x7fabe776ca56 in xmlParseContent third_party/libxml/src/parser.c:9379
    #19 0x7fabe77711ea in xmlParseElement third_party/libxml/src/parser.c:9552
    #20 0x7fabe779730e in xmlParseDocument third_party/libxml/src/parser.c:10214
    #21 0x7fabe77e9516 in xmlDoRead third_party/libxml/src/parser.c:14498
    #22 0x7fabe77ed2a5 in xmlCtxtReadMemory third_party/libxml/src/parser.c:14776
    #23 0x7fabeee22d84 in WebCore::XSLStyleSheet::parseString(WTF::String const&) third_party/WebKit/Source/WebCore/xml/XSLStyleSheetLibxslt.cpp:173
    #24 0x7fabe8dcda10 in WebCore::ProcessingInstruction::parseStyleSheet(WTF::String const&) third_party/WebKit/Source/WebCore/dom/ProcessingInstruction.cpp:247
Stats: 9M malloced (14M for red zones) by 41579 calls
Stats: 0M realloced by 1063 calls
Stats: 7M freed by 22080 calls
Stats: 0M really freed by 0 calls
Stats: 60M (15369 full pages) mmaped in 15 calls
  mmaps   by size class: 8:49149; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:128; 17:32; 18:16; 19:8;
  mallocs by size class: 8:37017; 9:2183; 10:1564; 11:417; 12:57; 13:69; 14:151; 15:30; 16:81; 17:7; 18:2; 19:1;
  frees   by size class: 8:19387; 9:648; 10:1426; 11:294; 12:32; 13:53; 14:137; 15:21; 16:74; 17:6; 18:1; 19:1;
  rfrees  by size class:
Stats: malloc large: 10 small slow: 186
==17722== ABORTING

Comment 7 by veill...@gmail.com, Aug 26 2012

To be honnest I don't understand why
  WebCore::Document::removePendingSheet
ends up calling
  WebCore::XSLTProcessor::transformToString

But anyhow WebCore::XSLTProcessor::transformToString
seems to free the doument twice, probably as
processing embedded stylesheets.
It doesn't directly look the fault for libxslt.
Remember when you create a stylesheet from an
XML document, the stylesheet will own the document,
modify it etc ... and freeing the stylesheet will
free the document. my take is that you are freeing both
from transformToString and that leads to the double-free,
per the 2 free traces you're freeing both ways.

  "Not libxslt that time" is my take on this :-)

Daniel

Comment 8 by infe...@chromium.org, Aug 26 2012

Thanks a lot Daniel for the detailed analysis. Really appreciate your quick response here.

We will try to get the real bug fixed in webkit code - https://bugs.webkit.org/show_bug.cgi?id=95022

Comment 9 by infe...@chromium.org, Aug 26 2012

Cc: -veill...@gmail.com
Chris, the minimized testcase is coming at https://cluster-fuzz.appspot.com/testcase?key=99836409

Comment 10 by infe...@chromium.org, Aug 29 2012

Comment 11 by scarybea...@gmail.com, Aug 30 2012

Status: Started
Ok, started!

Comment 12 by scarybea...@gmail.com, Aug 30 2012

Still not sure what is going on but here is a more minimal test case:

XML
<?xml-stylesheet href="test.xsl" type="text/xsl"?>
<doc/>

XSL
<!DOCTYPE html PUBLIC "" "a">
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html><img alt="&blah;"/></html>
</xsl:template>
</xsl:stylesheet>

Comment 13 by scarybea...@gmail.com, Aug 30 2012

Cc: veill...@gmail.com
Adding Daniel back on, it's definitely a libxslt bug and not a WebKit bug after all. I'll have a patch landed shortly.

Comment 14 by bugdroid1@chromium.org, Aug 31 2012

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=154331

------------------------------------------------------------------------
r154331 | cevans@chromium.org | 2012-08-31T00:35:45.635928Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxslt/README.chromium?r1=154331&r2=154330&pathrev=154331
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxslt/libxslt/templates.c?r1=154331&r2=154330&pathrev=154331

Fix dictionary string usage.

BUG= 144799 
Review URL: https://chromiumcodereview.appspot.com/10919019
------------------------------------------------------------------------

Comment 15 by scarybea...@gmail.com, Aug 31 2012

Labels: -Restrict-View-SecurityTeam -Mstone-21 Restrict-View-SecurityNotify Mstone-22 Merge-Approved
Status: FixUnreleased
@veillard: looks like a corner case situation caused us to take a second pointer reference to a string which isn't in any dictionary. So obviously a double-free results. I added a more detailed check to only share a pointer if the string really is in the dictionary.

BTW, "valgrind" also showed the double free for me in stock xsltproc.

Comment 16 by ClusterFuzz, Sep 1 2012

Project Member
ClusterFuzz has detected this issue as fixed in range 154320:154424.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=99300377

Fuzzer: Cris_inferno_crash_url

Crash Type: Heap-double-free
Crash Address: 0x7f4056823980
Crash State:
  - crash stack -
  xmlFreeNodeList
  xmlFreeProp
  - free stack -
  xmlFreeNodeList
  xmlFreeProp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982
Fixed: https://cluster-fuzz.appspot.com/revisions?range=154320:154424

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94t55SelxuQhysIrhDFVTMJhQ_FSBHXfc9emCPvmUwltAw7I1Esl_QyIQJVyM_9Qz0CeaKu3KVhk6q6Rt0yksPgyKgRGPd_Vu7nJTSP231zaLOEHzOlb3cVMmVPc88SC1XBaPGaoi5irxUjEXyv7S78_lnqdruuTYENJfW-erpF0OvkpRA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 17 by ClusterFuzz, Sep 1 2012

Project Member
ClusterFuzz has detected this issue as fixed in range 154320:154424.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=99836409

Uploader: inferno@chromium.org

Crash Type: Heap-double-free
Crash Address: 0x7fa340c40f80
Crash State:
  - crash stack -
  xmlFreeNodeList
  xmlFreeProp
  - free stack -
  xmlFreeNodeList
  xmlFreeProp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982
Fixed: https://cluster-fuzz.appspot.com/revisions?range=154320:154424

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94xnjXGm9TF6KEsgnY2W-4RIC_1trZVFm6zFZlGgjog6oDvWxfG2ZrQaSOMJNq0z8lzcOwwNSAD3RmSCQnQdxVZTUJIa_8oRWbv4dprDrvPynYGMBp21Wo5WEPWrBhpkOu9z8KOYDbIG8ueCFsZ_QrE_IN7J4dbcL8Ius3nOAxhuh20Lig

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 18 by veill...@gmail.com, Sep 1 2012

Chris i will look at this on Monday, promised :-)
A priori the patch looks fine, but i need to double check !

Daniel

Comment 19 by veill...@gmail.com, Sep 3 2012

ClusterFuck^^zz still denies me accesses, but based on comment #12 reproducer
yes that looks just right !
Commited upstream:
  http://git.gnome.org/browse/libxslt/commit/?id=54977ed7966847e305a2008cb18892df26eeb065

 thanks for chasing this !

Daniel

Comment 20 by scarybea...@gmail.com, Sep 5 2012

Labels: -Merge-Approved Merge-Merged
r154909

Comment 21 by bugdroid1@chromium.org, Sep 5 2012

Project Member
Labels: merge-merged-1229
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=154909

------------------------------------------------------------------------
r154909 | cevans@chromium.org | 2012-09-05T07:35:18.267786Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1229/src/third_party/libxslt/README.chromium?r1=154909&r2=154908&pathrev=154909
   M http://src.chromium.org/viewvc/chrome/branches/1229/src/third_party/libxslt/libxslt/templates.c?r1=154909&r2=154908&pathrev=154909

Merge 154331 - Fix dictionary string usage.

BUG= 144799 
Review URL: https://chromiumcodereview.appspot.com/10919019

TBR=cevans@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10913080
------------------------------------------------------------------------

Comment 22 by bugdroid1@chromium.org, Oct 14 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 23 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 24 by bugdroid1@chromium.org, Jan 18 2013

Project Member
Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.

Comment 25 by bugdroid1@chromium.org, Jan 18 2013

Project Member
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.

Comment 26 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -Type-Security -SecSeverity-High -SecImpacts-Stable -Mstone-22 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Type-Bug-Security M-22 Security-Severity-High Performance-Memory-AddressSanitizer

Comment 27 by bugdroid1@chromium.org, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 28 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 31 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 32 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 33 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 34 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 35 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 36 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 37 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment