New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 42294: WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b)

Reported by woo...@gmail.com, Apr 22 2010

Issue description

unpack the webkit30.rar and got the 2.xhtml and frame.jsp , copy frame.jsp
and 2.xhtml files to tomcat webapp dir.use chrome to visit frame.jsp. 

the crash will like this:

(128.17b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=017f01b0 ebx=04e8e0b0 ecx=01af03f0 edx=0012f1a4 esi=01af03f0 edi=01af9db8
eip=017f01c0 esp=0012eea4 ebp=0012f00c iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
017f01c0 c0017f          rol     byte ptr [ecx],7Fh         ds:0023:01af03f0=b0
1:019> kv
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012eea0 023a1871 04e8e4bc 04e9ca98 022ce67c 0x17f01c0
0012eeac 022ce67c 01b16c34 00000001 023ff9e7
chrome_1f30000!WebCore::FontFallbackList::determinePitch+0x17 (FPO:
[1,1,1]) (CONV: thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\fontfallbacklist.cpp
@ 77]
0012eeb8 023ff9e7 0012f0a0 0012f104 04e8e4bc
chrome_1f30000!WebCore::Font::isFixedPitch+0x10 (FPO: [0,0,1]) (CONV:
thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\font.cpp
@ 160]
0012f00c 023fe014 04e8e4bc 0012f048 0012f0f4
chrome_1f30000!WebCore::RenderBlock::findNextLineBreak+0x595 (CONV:
thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp
@ 1800]
0012f1c8 0236823f 04e8e4bc 00000001 0012f1f4
chrome_1f30000!WebCore::RenderBlock::layoutInlineChildren+0x632 (CONV:
thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp
@ 960]
0012f254 0236807a 00000001 0012f2e0 0236936a
chrome_1f30000!WebCore::RenderBlock::layoutBlock+0x1a7 (CONV: thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 734]
0012f260 0236936a 0012f2c8 04e8e4bc 04e8df14
chrome_1f30000!WebCore::RenderBlock::layout+0x17 (FPO: [0,0,1]) (CONV:
thiscall)
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 663]
 
webkit30.rar
2.6 KB Download

Comment 1 by skylined@chromium.org, Apr 22 2010

Labels: -Area-Undefined Area-WebKit WebKit-Core Feature-Fonts
Status: Available
Summary: WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b)
I've simplified the repro to the attached xhtml file. I've also attached details for a NULL ptr crash and an arbitrary code execution crash.

id:             WebCore::FontFallbackList::determinePitch ReadAV@NULL (0b4c05aab686a31bc4954a5bd6bae27b)
description:    Attempt to read from NULL pointer (+0x15) in WebCore::FontFallbackList::determinePitch
stack:          WebCore::FontFallbackList::determinePitch
                WebCore::Font::isFixedPitch
                WebCore::RenderBlock::findNextLineBreak
                WebCore::RenderBlock::layoutInlineChildren
                WebCore::RenderBlock::layoutBlock
                WebCore::RenderBlock::layout
                WebCore::RenderBlock::layoutBlockChild
                WebCore::RenderBlock::layoutBlockChildren
                WebCore::RenderBlock::layoutBlock
                WebCore::RenderBlock::layout
                WebCore::RenderBlock::layoutBlockChild
                WebCore::RenderBlock::layoutBlockChildren
                WebCore::RenderBlock::layoutBlock
                WebCore::RenderBlock::layout
                WebCore::RenderBlock::layoutBlockChild
                WebCore::RenderBlock::layoutBlockChildren
                WebCore::RenderBlock::layoutBlock
                WebCore::RenderBlock::layout
                WebCore::RenderView::layout
                WebCore::FrameView::layout
                WebCore::FrameView::layoutIfNeededRecursive
<snip>

The problem seems to be caused by an unavailable font file loaded through css and specific xhtml content.

Source:
http://svn.webkit.org/repository/webkit/trunk/WebCore/platform/graphics/FontFallbackList.cpp
void FontFallbackList::determinePitch(const Font* font) const
{
    const FontData* fontData = primaryFontData(font);
    if (!fontData->isSegmented())                                                  // *** kaB00m!! (Apparently fontData can get corrupted)
        m_pitch = static_cast<const SimpleFontData*>(fontData)->pitch();
    else {
        const SegmentedFontData* segmentedFontData = static_cast<const SegmentedFontData*>(fontData);
        unsigned numRanges = segmentedFontData->numRanges();
        if (numRanges == 1)
            m_pitch = segmentedFontData->rangeAt(0).fontData()->pitch();
        else
            m_pitch = VariablePitch;
    }
}

Apparently, this happens in the wild too:
http://crash/search?query=stack_signature.contains:%22WebCore::FontFallbackList::determinePitch%22+stack_signature.contains:%22160602C%22
WebCore..FontFallbackList..determinePitch ReadAV@NULL (0b4c05aab686a31bc4954a5bd6bae27b).html
803 KB Download
repro.xhtml
442 bytes View Download
WebCore..FontFallbackList..determinePitch ExecAV@Arbitrary (0b4c05aab686a31bc4954a5bd6bae27b).html
964 KB Download

Comment 2 by scarybea...@gmail.com, Apr 22 2010

Labels: SecSeverity-High
GREAT bug @wushi!

I concur with SkyLined that this condition isn't just a security concern, but is also 
a stability concern. It's one of our top crashers:
http://crash/stackview?product=Chrome&version=4.1.249.1059&num=50
http://crash/reportview?
product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ
inePitch(WebCore::Font+const+*)-1606028&newsig=
http://crash/reportview?
product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ
inePitch(WebCore::Font+const+*)-134E8B3&newsig=

(The sum of those two distinct stack signals equates to one of the top crashers -- 
after discounting Flash plugin crashes)

Comment 3 by infe...@chromium.org, Apr 22 2010

Labels: Mstone-5
Status: Assigned
putting this in my queue. will fix sometime next week, too much busy right now with
other webkit patches. marking milestone 5.

Comment 4 by infe...@chromium.org, Apr 22 2010

filed bug in webkit. also affects safari

Comment 5 by infe...@chromium.org, Apr 22 2010

Status: Available

Comment 6 by mal@google.com, Apr 23 2010

Comment 7 by darin@chromium.org, Apr 23 2010

Comment 8 by dglazkov@chromium.org, Apr 23 2010

Comment 9 by dglazkov@chromium.org, Apr 23 2010

What's the WebKit bug URL? Can you cc me there?

Comment 10 by dglazkov@chromium.org, Apr 23 2010

Status: Assigned
Sato-san, can you look into this?

Comment 11 by infe...@chromium.org, Apr 23 2010

the webkit bug is https://bugs.webkit.org/show_bug.cgi?id=38001. i have cced Dimitri
and Yusuke.

Comment 12 by scarybea...@gmail.com, Apr 23 2010

Since it's such a significant bug (in terms of the long-running stability impact), I 
also pinged a few Apple contacts. Hopefully someone will jump on it soon :)

Comment 13 by infe...@chromium.org, Apr 24 2010

Status: FixUnreleased
this is now fixed in http://trac.webkit.org/changeset/58201.
i will merge this to 375 alongwith with other pending  merges.

Comment 14 by woo...@gmail.com, Apr 24 2010

You guys are awesome! Analyze & Patching speed is so quickly.

Comment 15 by mal@google.com, Apr 26 2010

+cc anantha for testing

Comment 16 by anan...@chromium.org, Apr 26 2010

Sunand and Michael, We should verify this on tot and 375 after it gets patched.

Comment 18 by scarybea...@gmail.com, Apr 27 2010

Labels: Reward-500
Thanks, Wushi! This qualifies for an award.

Comment 19 by scarybea...@gmail.com, Apr 29 2010

The security bug no longer reproduces in v4.1.249.1064 (yay!)
However, the stability-related crashes are still there :( e.g. 
http://crash/reportdetail?reportid=7f58c8a1caaf5938

Looks like there's a second condition in that same code whereby the font is simply 
NULL. Not a security condition, but irritating.

Comment 20 by scarybea...@gmail.com, May 19 2010

(Not yet releasing - Safari not yet fixed, best I know)

Comment 21 by dglazkov@chromium.org, May 28 2010

 Issue 44263  has been merged into this issue.

Comment 22 by scarybea...@gmail.com, Jun 13 2010

Labels: -Restrict-View-SecurityTeam
Status: Fixed
Releasing - Safari 5 is based on a recent WebKit revision so should have this fixed.

Comment 23 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 24 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 25 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 26 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -WebKit-Core -Feature-Fonts -SecSeverity-High -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content Cr-Content-Fonts M-5 Security-Impact-Stable Security-Severity-High Type-Bug-Security Cr-Content-Core

Comment 27 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 30 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 31 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-Fonts Cr-Blink-Fonts

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 33 by sheriffbot@chromium.org, Oct 1 2016

Project Member
Labels: Restrict-View-SecurityNotify

Comment 34 by sheriffbot@chromium.org, Oct 2 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 35 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 36 by sheriffbot@chromium.org, Jul 29 2018

Project Member
Labels: -Pri-0 Pri-1

Sign in to add a comment