New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Last visit 15 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 154485: Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:

Reported by infe...@chromium.org, Oct 7 2012 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=121835928

Fuzzer: Cris_idl_based_dom

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f8ba9b42078
Crash State:
  - crash stack -
  std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:
  printing::PrintJobManager::OnPrintJobEvent
  printing::PrintJobManager::Observe
  


Additional requirements: Requires Interaction Gestures
 

Comment 1 by infe...@chromium.org, Oct 7 2012

Cc: thestig@chromium.org
Owner: jam@chromium.org
Status: Assigned
We don't have a reliable repro, but seeing the simple function, the heap overflow might only happen if this DCHECK fails (only in debug). Should we change this to a if. John, what do you think or have ideas on the owner ?

case JobEventDetails::JOB_DONE: {
      PrintJobs::iterator itr = std::find(current_jobs_.begin(),
                                          current_jobs_.end(),
                                          print_job);
      DCHECK(current_jobs_.end() != itr);
      current_jobs_.erase(itr);

Comment 2 by thestig@chromium.org, Oct 8 2012

This seems to imply PrintJob::OnDocumentDone() got called but PrintJob::StartPrinting() didn't, or PrintJob::OnDocumentDone() got called more than once. Not sure how this can happen.

Comment 3 by infe...@chromium.org, Dec 5 2012

Cc: abodenha@chromium.org
Owner: vitalyb...@chromium.org
vitalybuka@, can you please help to take a look.

Comment 4 by vitalyb...@chromium.org, Dec 5 2012

Status: Started

Comment 5 by vitalyb...@chromium.org, Dec 5 2012

I'd like to quick fix by proper erase.
I already have issue  http://crbug.com/161569 , probably related.I'll investigate that later.

Comment 6 by infe...@chromium.org, Dec 5 2012

Thanks a lot Vitalybuka@ for looking into this.

Comment 7 by bugdroid1@chromium.org, Dec 6 2012

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=171447

------------------------------------------------------------------------
r171447 | vitalybuka@chromium.org | 2012-12-06T07:56:05.035645Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/printing/print_job_manager.cc?r1=171447&r2=171446&pathrev=171447
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/printing/print_job_manager.h?r1=171447&r2=171446&pathrev=171447

Replaced vector with set for current_jobs_.
This simplify code and make sure that jobs are unique.

BUG= 154485 ,  161569 

Review URL: https://chromiumcodereview.appspot.com/11443020
------------------------------------------------------------------------

Comment 8 by infe...@chromium.org, Dec 6 2012

Labels: Merge-Approved Mstone-23 SecImpacts-Stable SecImpacts-Beta
Status: FixUnreleased
We will merge to m24 when merge window opens.

Comment 9 by bugdroid1@chromium.org, Dec 14 2012

Project Member
Labels: -Merge-Approved merge-merged-1312
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=173057

------------------------------------------------------------------------
r173057 | cevans@chromium.org | 2012-12-14T02:33:10.465158Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/browser/printing/print_job_manager.cc?r1=173057&r2=173056&pathrev=173057
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/browser/printing/print_job_manager.h?r1=173057&r2=173056&pathrev=173057

Merge 171447
BUG= 154485 
> Replaced vector with set for current_jobs_.
> This simplify code and make sure that jobs are unique.
> 
> BUG= 154485 ,  161569 
> 
> Review URL: https://chromiumcodereview.appspot.com/11443020

TBR=vitalybuka@chromium.org
Review URL: https://codereview.chromium.org/11572033
------------------------------------------------------------------------

Comment 10 by scarybea...@gmail.com, Dec 18 2012

Labels: -Restrict-View-SecurityTeam -Mstone-23 Restrict-View-SecurityNotify Mstone-24 Release-0

Comment 11 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 12 by scarybea...@gmail.com, Jan 7 2013

Labels: CVE-2013-0833

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -Stability-AddressSanitizer -Mstone-24 -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-24 Performance-Memory-AddressSanitizer Security-Impact-Stable

Comment 14 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Medium Security_Severity-Medium

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 18 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 19 by bugdroid1@chromium.org, Apr 5 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 20 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 24 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment