New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 159829: Heap-buffer-overflow in WebCore::HTMLInputElement::isImageButton

Reported by infe...@chromium.org, Nov 7 2012 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=136826636

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f2401988828
Crash State:
  - crash stack -
  WebCore::HTMLInputElement::isImageButton
  WebKit::WebInputElement::isImageButton
  webkit_glue::GetSubResourceLinkFromElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97DiXB2tMhI7ivhMcQP7S6cn8wYZmidfiS5g6AWE7suh5U1rzkguBjhDsCEFks3N12UPFAb32XL6YifcXv3pA5LfXuAtQSfDcOiqp4SnCdO6H8rIwnCwOeAvKHSBSmb-d-UCNl72ziAMvpSbPGtON1vhQWo5e6XH_b-scuGvydgbw0Zjb4
<script>
var docElement = document.body ? document.body : document.documentElement;
function initCF() {
try { tCF41 = document.createElementNS("http://www.w3.org/1999/xhtml", "INPUT"); } catch(e) {}
try { tCF41.setAttribute("pattern", "bar"); } catch(e) {}
try { docElement.appendChild(tCF41); } catch(e) {}
}
document.addEventListener("DOMContentLoaded", initCF, false);
function editFuzz() {
}</script>

Additional requirements: Requires Interaction Gestures
 

Comment 1 by infe...@chromium.org, Nov 7 2012

Owner: tkent@chromium.org
Status: Assigned
Kent-san, this looks similar to the one you fixed some time back.

Comment 2 by tkent@chromium.org, Nov 8 2012

OMG document.createElementNS("http://www.w3.org/1999/xhtml", "INPUT") doesn't create HTMLInputElement.

Comment 3 by tkent@chromium.org, Nov 8 2012

Labels: WebKit-ID-101537
Status: Started

Comment 4 Deleted

Comment 5 by tkent@chromium.org, Nov 9 2012

Comment 6 by ClusterFuzz, Nov 9 2012

Project Member
ClusterFuzz has detected this issue as fixed in range 166842:166875.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=136826636

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f2401988828
Crash State:
  - crash stack -
  WebCore::HTMLInputElement::isImageButton
  WebKit::WebInputElement::isImageButton
  webkit_glue::GetSubResourceLinkFromElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982
Fixed: https://cluster-fuzz.appspot.com/revisions?range=166842:166875

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97DiXB2tMhI7ivhMcQP7S6cn8wYZmidfiS5g6AWE7suh5U1rzkguBjhDsCEFks3N12UPFAb32XL6YifcXv3pA5LfXuAtQSfDcOiqp4SnCdO6H8rIwnCwOeAvKHSBSmb-d-UCNl72ziAMvpSbPGtON1vhQWo5e6XH_b-scuGvydgbw0Zjb4

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 7 by infe...@chromium.org, Nov 9 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Thanks a lot Kent.

Comment 8 by scarybea...@gmail.com, Nov 12 2012

Comment 9 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 10 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-23 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-23 Performance-Memory-AddressSanitizer

Comment 11 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 12 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Medium Security_Severity-Medium

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 15 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 16 by bugdroid1@chromium.org, Apr 5 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 17 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 18 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 20 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment