New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:

Project Member Reported by infe...@chromium.org, Oct 7 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=121835928

Fuzzer: Cris_idl_based_dom

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f8ba9b42078
Crash State:
  - crash stack -
  std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:
  printing::PrintJobManager::OnPrintJobEvent
  printing::PrintJobManager::Observe
  


Additional requirements: Requires Interaction Gestures
 
Cc: thestig@chromium.org
Owner: jam@chromium.org
Status: Assigned
We don't have a reliable repro, but seeing the simple function, the heap overflow might only happen if this DCHECK fails (only in debug). Should we change this to a if. John, what do you think or have ideas on the owner ?

case JobEventDetails::JOB_DONE: {
      PrintJobs::iterator itr = std::find(current_jobs_.begin(),
                                          current_jobs_.end(),
                                          print_job);
      DCHECK(current_jobs_.end() != itr);
      current_jobs_.erase(itr);
This seems to imply PrintJob::OnDocumentDone() got called but PrintJob::StartPrinting() didn't, or PrintJob::OnDocumentDone() got called more than once. Not sure how this can happen.
Cc: abodenha@chromium.org
Owner: vitalyb...@chromium.org
vitalybuka@, can you please help to take a look.
Status: Started
I'd like to quick fix by proper erase.
I already have issue  http://crbug.com/161569 , probably related.I'll investigate that later.
Thanks a lot Vitalybuka@ for looking into this.
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 6 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=171447

------------------------------------------------------------------------
r171447 | vitalybuka@chromium.org | 2012-12-06T07:56:05.035645Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/printing/print_job_manager.cc?r1=171447&r2=171446&pathrev=171447
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/printing/print_job_manager.h?r1=171447&r2=171446&pathrev=171447

Replaced vector with set for current_jobs_.
This simplify code and make sure that jobs are unique.

BUG= 154485 ,  161569 

Review URL: https://chromiumcodereview.appspot.com/11443020
------------------------------------------------------------------------
Labels: Merge-Approved Mstone-23 SecImpacts-Stable SecImpacts-Beta
Status: FixUnreleased
We will merge to m24 when merge window opens.
Project Member

Comment 9 by bugdroid1@chromium.org, Dec 14 2012

Labels: -Merge-Approved merge-merged-1312
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=173057

------------------------------------------------------------------------
r173057 | cevans@chromium.org | 2012-12-14T02:33:10.465158Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/browser/printing/print_job_manager.cc?r1=173057&r2=173056&pathrev=173057
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/browser/printing/print_job_manager.h?r1=173057&r2=173056&pathrev=173057

Merge 171447
BUG= 154485 
> Replaced vector with set for current_jobs_.
> This simplify code and make sure that jobs are unique.
> 
> BUG= 154485 ,  161569 
> 
> Review URL: https://chromiumcodereview.appspot.com/11443020

TBR=vitalybuka@chromium.org
Review URL: https://codereview.chromium.org/11572033
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Mstone-23 Restrict-View-SecurityNotify Mstone-24 Release-0
Status: Fixed
Labels: CVE-2013-0833
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -Stability-AddressSanitizer -Mstone-24 -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-24 Performance-Memory-AddressSanitizer Security-Impact-Stable
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment