New issue
Advanced search Search tips

Issue 159829 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in WebCore::HTMLInputElement::isImageButton

Project Member Reported by infe...@chromium.org, Nov 7 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=136826636

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f2401988828
Crash State:
  - crash stack -
  WebCore::HTMLInputElement::isImageButton
  WebKit::WebInputElement::isImageButton
  webkit_glue::GetSubResourceLinkFromElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97DiXB2tMhI7ivhMcQP7S6cn8wYZmidfiS5g6AWE7suh5U1rzkguBjhDsCEFks3N12UPFAb32XL6YifcXv3pA5LfXuAtQSfDcOiqp4SnCdO6H8rIwnCwOeAvKHSBSmb-d-UCNl72ziAMvpSbPGtON1vhQWo5e6XH_b-scuGvydgbw0Zjb4
<script>
var docElement = document.body ? document.body : document.documentElement;
function initCF() {
try { tCF41 = document.createElementNS("http://www.w3.org/1999/xhtml", "INPUT"); } catch(e) {}
try { tCF41.setAttribute("pattern", "bar"); } catch(e) {}
try { docElement.appendChild(tCF41); } catch(e) {}
}
document.addEventListener("DOMContentLoaded", initCF, false);
function editFuzz() {
}</script>

Additional requirements: Requires Interaction Gestures
 
Owner: tkent@chromium.org
Status: Assigned
Kent-san, this looks similar to the one you fixed some time back.

Comment 2 by tkent@chromium.org, Nov 8 2012

OMG document.createElementNS("http://www.w3.org/1999/xhtml", "INPUT") doesn't create HTMLInputElement. 

Comment 3 by tkent@chromium.org, Nov 8 2012

Labels: WebKit-ID-101537
Status: Started

Comment 4 Deleted

Comment 5 by tkent@chromium.org, Nov 9 2012

Should be fixed by http://trac.webkit.org/changeset/133982

Project Member

Comment 6 by ClusterFuzz, Nov 9 2012

ClusterFuzz has detected this issue as fixed in range 166842:166875.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=136826636

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f2401988828
Crash State:
  - crash stack -
  WebCore::HTMLInputElement::isImageButton
  WebKit::WebInputElement::isImageButton
  webkit_glue::GetSubResourceLinkFromElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982
Fixed: https://cluster-fuzz.appspot.com/revisions?range=166842:166875

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97DiXB2tMhI7ivhMcQP7S6cn8wYZmidfiS5g6AWE7suh5U1rzkguBjhDsCEFks3N12UPFAb32XL6YifcXv3pA5LfXuAtQSfDcOiqp4SnCdO6H8rIwnCwOeAvKHSBSmb-d-UCNl72ziAMvpSbPGtON1vhQWo5e6XH_b-scuGvydgbw0Zjb4

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Thanks a lot Kent.
Labels: -Merge-Approved Merge-Merged
M23: http://trac.webkit.org/changeset/134275
M24: http://trac.webkit.org/changeset/134276

Comment 9 by jsc...@chromium.org, Dec 20 2012

Status: Fixed
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-23 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-23 Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 16 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment