New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in std::__1::pair<std::__1::pair<WTF::StringImpl**, bool>, unsigned int> WTF::
Project Member Reported by ClusterFuzz, Sep 5 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5824609553219584

Fuzzer: Ifratric-browserfuzzer-v3
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  std::__1::pair<std::__1::pair<WTF::StringImpl**, bool>, unsigned int> WTF::
  cssyyparse
  blink::BisonCSSParser::parseSheet
  

Minimized Testcase (0.03 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95iZ_5YVFQazulSrv4VM_JVv2jdn6FNusupXZN2nftdCFn9TtLWKp8K3-B6fMQb19RPytA1jPYhCK8fJbySXpKAvQpbFAbDqmvs38aCm5XOSa-F8FKGSneTjS7vhGhKPvcS6leW0Cux5P4VtFVbpKAyZTlFmA
<style>:U14zCv\38Ae(6562
</style>>


Filer: inferno
 
Owner: timloh@chromium.org
Status: Assigned
Project Member Comment 2 by ClusterFuzz, Sep 5 2014
Labels: Pri-1
Labels: Cr-Blink-CSS M-37
Project Member Comment 4 by ClusterFuzz, Sep 12 2014
Labels: Nag
timloh@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 5 by timloh@chromium.org, Sep 15 2014
I can't work out how to compile MSan (dependency problems), maybe the instructions at http://www.chromium.org/developers/testing/memorysanitizer need to be updated for Trusty? :/
Comment 6 by aarya@google.com, Sep 15 2014
Cc: earthdok@chromium.org
Comment 7 by euge...@google.com, Sep 15 2014
Instrumented libraries build scripts must be updated for Trusty. I've filed  https://crbug.com/414189 .
For now, this is limited to Precise. Sorry about that. Let us know if we can help you with anything in the meantime. Are you looking to test a patch?

Project Member Comment 8 by ClusterFuzz, Sep 22 2014
timloh@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 9 by timloh@chromium.org, Sep 23 2014
Looks like this is from the CSSTokenizer's branch for FUNCTION. "++yylval->string.m_length" expects the next character is a '(' but if we've parsed an escape and allocated a new string the next character is uninitialised. As best I can tell there's no way to actually read the uninitialised character here.

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/css/parser/CSSTokenizer-in.cpp&sq=package:chromium&type=cs&l=1169
Project Member Comment 10 by bugdroid1@chromium.org, Sep 25 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=182677

------------------------------------------------------------------
r182677 | timloh@chromium.org | 2014-09-25T12:58:13.147320Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/css-parser/color3-expected.txt?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/CSSComputedStyleDeclaration.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/parser/BisonCSSParser-in.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Element.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/parser/CSSTokenizer-in.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/CSSCalculationValue.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/LocalDOMWindow.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/parser/CSSPropertyParser.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/CSSSelector.cpp?r1=182677&r2=182676&pathrev=182677
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/css/CSSSelector.h?r1=182677&r2=182676&pathrev=182677

Don't add '(' to FUNCTION token names

This patch makes our bison tokenizer parse FUNCTION tokens without the
opening parenthesis. This makes FUNCTIONs with escapes work correctly,
tested in color3.html.

This will be followed up with using CSSValueID for all the strings in
the CSSPropertyParser for Function types. This will provide consistency
with regular keywords, and allow us to remove the code generation in
parsing transforms. In css3-syntax, a function token's value doesn't
include the bracket.

We also change the stored value of pseudo-selectors with arguments to
not include the bracket. This makes no difference since in these cases
we never read the value aside from to parse or serialize it.

BUG= 411165 

Review URL: https://codereview.chromium.org/603443002
-----------------------------------------------------------------
Status: Fixed
Project Member Comment 12 by ClusterFuzz, Sep 25 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -M-37 -Nag -Merge-Triage -M-38 Release-0-M39
Project Member Comment 14 by ClusterFuzz, Jan 1 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 15 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment