New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 41469 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Drag and drop bad reference counting leads to re-use of freed memory: WebCore..String..length ReadAV@Arbitrary (394bb1a56acd66a43221b2a08fa5b25a)

Reported by skylined@chromium.org, Apr 14 2010

Issue description

Dragging and dropping an image while a page is being refreshed can trigger memory corruption. Found while 
trying to reproduce  issue 41447 .

Repro:
1) Create a window with an IFRAME that refreshes constantly (drag&drop.htm)
2) In the IFRAME, load a page that has an image. (drag&drop2.html, drag&drop.jpg)
3) Drag and drop the image.
4) KaB00m.

This repro may not show clear signs of memory corruption. However, using the repro for  issue 41447  to do 
this does clearly show the same crash, but with a non-NULL pointer.



 
WebCore..String..length ReadAV@NULL (394bb1a56acd66a43221b2a08fa5b25a).html
227 KB Download
drag&drop.htm
139 bytes View Download
drag&drop2.html
71 bytes View Download
drag&drop.jpg
1.2 KB View Download

Comment 1 by kuz...@gmail.com, Apr 14 2010

cool!
Labels: Security Restrict-View-SecurityTeam
this bug has secseverity high, but misses security, restrict tags. adding those.

looking into what is causing this.
@inferno: doh! My bad - maybe I should set the default to security to avoid this :(
Status: Started
filed webkit bug - https://bugs.webkit.org/show_bug.cgi?id=37618. will submit patch
shortly, still testing.
Summary: Drag and drop bad reference counting leads to re-use of freed memory: WebCore..String..length ReadAV@Arbitrary (394bb1a56acd66a43221b2a08fa5b25a)
From the patch, I take it this summary is more descriptive of the issue.

Comment 8 by karen@chromium.org, Apr 20 2010

Labels: Mstone-5
Status: FixUnreleased
Committed r58441: <http://trac.webkit.org/changeset/58441>
Will check with anthony before merging to 375 branch since we are close to v5 beta. 
reopening. broke 2 qt tests, damn!.
Status: Started
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=46185 

------------------------------------------------------------------------
r46185 | inferno@chromium.org | 2010-05-01 09:36:49 -0700 (Sat, 01 May 2010) | 32 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/ChangeLog?r1=46185&r2=46184
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/editing/pasteboard/drag-drop-iframe-refresh-crash-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/editing/pasteboard/drag-drop-iframe-refresh-crash.html
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/editing/resources/drag-drop.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/platform/qt/Skipped?r1=46185&r2=46184
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/ChangeLog?r1=46185&r2=46184
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/page/DragController.cpp?r1=46185&r2=46184
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/page/DragController.h?r1=46185&r2=46184

Merge 58616 - WebCore: Convert m_documentUnderMouse, m_dragInitiator to RefPtr.
Eliminated unused m_dragInitiator accessor to prevent dereferencing.
https://bugs.webkit.org/show_bug.cgi?id=37618

BUG= 41469 
TEST=drag-drop-iframe-refresh-crash.html

Patch by Abhishek Arya <inferno@chromium.org> on 20100430
Reviewed by David Kilzer.

Test: editing/pasteboard/dragdropiframerefreshcrash.html

* page/DragController.cpp:
(WebCore::DragController::tryDocumentDrag):
(WebCore::DragController::concludeEditDrag):
* page/DragController.h:
(WebCore::DragController::draggingImageURL):
(WebCore::DragController::documentUnderMouse):

LayoutTests: Tests for a crash when an image dragdrop operation happens inside a continuously refreshing iframe.
https://bugs.webkit.org/show_bug.cgi?id=37618

Patch by Abhishek Arya <inferno@chromium.org> on 20100430
Reviewed by David Kilzer.

* editing/pasteboard/dragdropiframerefreshcrashexpected.txt: Added.
* editing/pasteboard/dragdropiframerefreshcrash.html: Added.
* editing/resources/dragdrop.html: Added.
* platform/qt/Skipped:

TBR=ddkilzer@apple.com
Review URL: http://codereview.chromium.org/1706021
------------------------------------------------------------------------

Status: FixUnreleased
Bug now committed in 375. All bots green. http://trac.webkit.org/changeset/58616. the
problem was that qt framework does not support drag-drop, so layout test need to be
excluded.
Labels: -SecSeverity-High SecSeverity-Medium
Using Medium because of the extra user interaction required.
NOTE: we will announce this in our upcoming v5 release notes, but the bug must be kept 
hidden to give Safari etc. a chance to fix this.
Labels: -Restrict-View-SecurityTeam
Status: Fixed
Releasing: fixed in 5.0.375.55
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 20 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -SecSeverity-Medium -WebKit-Core -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content M-5 Security-Impact-Stable Security-Severity-Medium Type-Bug-Security Cr-Content-Core
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 30 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-2 Pri-1

Sign in to add a comment