Issue metadata
Sign in to add a comment
|
Issue 42294: WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b)
Reported by
woo...@gmail.com,
Apr 22 2010
|
||||||||||||||||||||||
Issue descriptionunpack the webkit30.rar and got the 2.xhtml and frame.jsp , copy frame.jsp and 2.xhtml files to tomcat webapp dir.use chrome to visit frame.jsp. the crash will like this: (128.17b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=017f01b0 ebx=04e8e0b0 ecx=01af03f0 edx=0012f1a4 esi=01af03f0 edi=01af9db8 eip=017f01c0 esp=0012eea4 ebp=0012f00c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 017f01c0 c0017f rol byte ptr [ecx],7Fh ds:0023:01af03f0=b0 1:019> kv ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0012eea0 023a1871 04e8e4bc 04e9ca98 022ce67c 0x17f01c0 0012eeac 022ce67c 01b16c34 00000001 023ff9e7 chrome_1f30000!WebCore::FontFallbackList::determinePitch+0x17 (FPO: [1,1,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\fontfallbacklist.cpp @ 77] 0012eeb8 023ff9e7 0012f0a0 0012f104 04e8e4bc chrome_1f30000!WebCore::Font::isFixedPitch+0x10 (FPO: [0,0,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\font.cpp @ 160] 0012f00c 023fe014 04e8e4bc 0012f048 0012f0f4 chrome_1f30000!WebCore::RenderBlock::findNextLineBreak+0x595 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp @ 1800] 0012f1c8 0236823f 04e8e4bc 00000001 0012f1f4 chrome_1f30000!WebCore::RenderBlock::layoutInlineChildren+0x632 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp @ 960] 0012f254 0236807a 00000001 0012f2e0 0236936a chrome_1f30000!WebCore::RenderBlock::layoutBlock+0x1a7 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 734] 0012f260 0236936a 0012f2c8 04e8e4bc 04e8df14 chrome_1f30000!WebCore::RenderBlock::layout+0x17 (FPO: [0,0,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 663] Apr 22 2010,
GREAT bug @wushi! I concur with SkyLined that this condition isn't just a security concern, but is also a stability concern. It's one of our top crashers: http://crash/stackview?product=Chrome&version=4.1.249.1059&num=50 http://crash/reportview? product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ inePitch(WebCore::Font+const+*)-1606028&newsig= http://crash/reportview? product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ inePitch(WebCore::Font+const+*)-134E8B3&newsig= (The sum of those two distinct stack signals equates to one of the top crashers -- after discounting Flash plugin crashes) Apr 22 2010,
putting this in my queue. will fix sometime next week, too much busy right now with other webkit patches. marking milestone 5. Apr 22 2010,filed bug in webkit. also affects safari Apr 22 2010,
Apr 23 2010,Apr 23 2010,Apr 23 2010,Apr 23 2010,What's the WebKit bug URL? Can you cc me there? Apr 23 2010,
Sato-san, can you look into this? Apr 23 2010,the webkit bug is https://bugs.webkit.org/show_bug.cgi?id=38001. i have cced Dimitri and Yusuke. Apr 23 2010,Since it's such a significant bug (in terms of the long-running stability impact), I also pinged a few Apple contacts. Hopefully someone will jump on it soon :) Apr 24 2010,
this is now fixed in http://trac.webkit.org/changeset/58201. i will merge this to 375 alongwith with other pending merges. Apr 24 2010,You guys are awesome! Analyze & Patching speed is so quickly. Apr 26 2010,+cc anantha for testing Apr 26 2010,Sunand and Michael, We should verify this on tot and 375 after it gets patched. Apr 26 2010,This is now merged to both 249 and 375. 249: http://src.chromium.org/viewvc/chrome?view=rev&revision=45544 375: http://src.chromium.org/viewvc/chrome?view=rev&revision=45594 Apr 27 2010,
Thanks, Wushi! This qualifies for an award. Apr 29 2010,The security bug no longer reproduces in v4.1.249.1064 (yay!) However, the stability-related crashes are still there :( e.g. http://crash/reportdetail?reportid=7f58c8a1caaf5938 Looks like there's a second condition in that same code whereby the font is simply NULL. Not a security condition, but irritating. May 19 2010,(Not yet releasing - Safari not yet fixed, best I know) May 28 2010,Issue 44263 has been merged into this issue. Jun 13 2010,
Releasing - Safari 5 is based on a recent WebKit revision so should have this fixed. Mar 21 2011,
Oct 5 2011,
Batch update. Oct 13 2012, Project Member
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug. Mar 10 2013, Project Member
Mar 13 2013, Project Member
Mar 21 2013, Project Member
Mar 21 2013, Project Member
Apr 6 2013, Project Member
Apr 6 2013, Project Member
Oct 1 2016, Project MemberThis bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 1 2016, Project Member
Oct 2 2016, Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 2 2016,
Jul 29 2018, Project Member
|
|||||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by skylined@chromium.org, Apr 22 2010
Status: Available
Summary: WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b)
803 KB
803 KB Download
442 bytes
442 bytes View Download
964 KB
964 KB Download