Sign in to add a comment
|
WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b) | |||||||||||||||||||||||
| Reported by woo...@gmail.com, Apr 22 2010 | Back to list | |||||||||||||||||||||||
unpack the webkit30.rar and got the 2.xhtml and frame.jsp , copy frame.jsp and 2.xhtml files to tomcat webapp dir.use chrome to visit frame.jsp. the crash will like this: (128.17b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=017f01b0 ebx=04e8e0b0 ecx=01af03f0 edx=0012f1a4 esi=01af03f0 edi=01af9db8 eip=017f01c0 esp=0012eea4 ebp=0012f00c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 017f01c0 c0017f rol byte ptr [ecx],7Fh ds:0023:01af03f0=b0 1:019> kv ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0012eea0 023a1871 04e8e4bc 04e9ca98 022ce67c 0x17f01c0 0012eeac 022ce67c 01b16c34 00000001 023ff9e7 chrome_1f30000!WebCore::FontFallbackList::determinePitch+0x17 (FPO: [1,1,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\fontfallbacklist.cpp @ 77] 0012eeb8 023ff9e7 0012f0a0 0012f104 04e8e4bc chrome_1f30000!WebCore::Font::isFixedPitch+0x10 (FPO: [0,0,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\font.cpp @ 160] 0012f00c 023fe014 04e8e4bc 0012f048 0012f0f4 chrome_1f30000!WebCore::RenderBlock::findNextLineBreak+0x595 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp @ 1800] 0012f1c8 0236823f 04e8e4bc 00000001 0012f1f4 chrome_1f30000!WebCore::RenderBlock::layoutInlineChildren+0x632 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblocklinelayout.cpp @ 960] 0012f254 0236807a 00000001 0012f2e0 0236936a chrome_1f30000!WebCore::RenderBlock::layoutBlock+0x1a7 (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 734] 0012f260 0236936a 0012f2c8 04e8e4bc 04e8df14 chrome_1f30000!WebCore::RenderBlock::layout+0x17 (FPO: [0,0,1]) (CONV: thiscall) [c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 663]
,
Apr 22 2010
GREAT bug @wushi! I concur with SkyLined that this condition isn't just a security concern, but is also a stability concern. It's one of our top crashers: http://crash/stackview?product=Chrome&version=4.1.249.1059&num=50 http://crash/reportview? product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ inePitch(WebCore::Font+const+*)-1606028&newsig= http://crash/reportview? product=Chrome&version=4.1.249.1059&date=&signature=WebCore::FontFallbackList::determ inePitch(WebCore::Font+const+*)-134E8B3&newsig= (The sum of those two distinct stack signals equates to one of the top crashers -- after discounting Flash plugin crashes)
,
Apr 22 2010
putting this in my queue. will fix sometime next week, too much busy right now with other webkit patches. marking milestone 5.
,
Apr 22 2010
filed bug in webkit. also affects safari
,
Apr 22 2010
,
Apr 23 2010
,
Apr 23 2010
,
Apr 23 2010
,
Apr 23 2010
What's the WebKit bug URL? Can you cc me there?
,
Apr 23 2010
Sato-san, can you look into this?
,
Apr 23 2010
the webkit bug is https://bugs.webkit.org/show_bug.cgi?id=38001. i have cced Dimitri and Yusuke.
,
Apr 23 2010
Since it's such a significant bug (in terms of the long-running stability impact), I also pinged a few Apple contacts. Hopefully someone will jump on it soon :)
,
Apr 24 2010
this is now fixed in http://trac.webkit.org/changeset/58201. i will merge this to 375 alongwith with other pending merges.
,
Apr 24 2010
You guys are awesome! Analyze & Patching speed is so quickly.
,
Apr 26 2010
+cc anantha for testing
,
Apr 26 2010
Sunand and Michael, We should verify this on tot and 375 after it gets patched.
,
Apr 26 2010
This is now merged to both 249 and 375. 249: http://src.chromium.org/viewvc/chrome?view=rev&revision=45544 375: http://src.chromium.org/viewvc/chrome?view=rev&revision=45594
,
Apr 27 2010
Thanks, Wushi! This qualifies for an award.
,
Apr 29 2010
The security bug no longer reproduces in v4.1.249.1064 (yay!) However, the stability-related crashes are still there :( e.g. http://crash/reportdetail?reportid=7f58c8a1caaf5938 Looks like there's a second condition in that same code whereby the font is simply NULL. Not a security condition, but irritating.
,
May 19 2010
(Not yet releasing - Safari not yet fixed, best I know)
,
May 28 2010
Issue 44263 has been merged into this issue.
,
Jun 13 2010
Releasing - Safari 5 is based on a recent WebKit revision so should have this fixed.
,
Mar 21 2011
,
Oct 5 2011
Batch update.
,
Oct 13 2012
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug.
,
Mar 10 2013
,
Mar 13 2013
,
Mar 21 2013
,
Mar 21 2013
,
Apr 6 2013
,
Apr 6 2013
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
||||||||||||||||||||||||
| ► Sign in to add a comment | ||||||||||||||||||||||||
Status: Available
Summary: WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b) (was: NULL)
I've simplified the repro to the attached xhtml file. I've also attached details for a NULL ptr crash and an arbitrary code execution crash. id: WebCore::FontFallbackList::determinePitch ReadAV@NULL (0b4c05aab686a31bc4954a5bd6bae27b) description: Attempt to read from NULL pointer (+0x15) in WebCore::FontFallbackList::determinePitch stack: WebCore::FontFallbackList::determinePitch WebCore::Font::isFixedPitch WebCore::RenderBlock::findNextLineBreak WebCore::RenderBlock::layoutInlineChildren WebCore::RenderBlock::layoutBlock WebCore::RenderBlock::layout WebCore::RenderBlock::layoutBlockChild WebCore::RenderBlock::layoutBlockChildren WebCore::RenderBlock::layoutBlock WebCore::RenderBlock::layout WebCore::RenderBlock::layoutBlockChild WebCore::RenderBlock::layoutBlockChildren WebCore::RenderBlock::layoutBlock WebCore::RenderBlock::layout WebCore::RenderBlock::layoutBlockChild WebCore::RenderBlock::layoutBlockChildren WebCore::RenderBlock::layoutBlock WebCore::RenderBlock::layout WebCore::RenderView::layout WebCore::FrameView::layout WebCore::FrameView::layoutIfNeededRecursive <snip> The problem seems to be caused by an unavailable font file loaded through css and specific xhtml content. Source: http://svn.webkit.org/repository/webkit/trunk/WebCore/platform/graphics/FontFallbackList.cpp void FontFallbackList::determinePitch(const Font* font) const { const FontData* fontData = primaryFontData(font); if (!fontData->isSegmented()) // *** kaB00m!! (Apparently fontData can get corrupted) m_pitch = static_cast<const SimpleFontData*>(fontData)->pitch(); else { const SegmentedFontData* segmentedFontData = static_cast<const SegmentedFontData*>(fontData); unsigned numRanges = segmentedFontData->numRanges(); if (numRanges == 1) m_pitch = segmentedFontData->rangeAt(0).fontData()->pitch(); else m_pitch = VariablePitch; } } Apparently, this happens in the wild too: http://crash/search?query=stack_signature.contains:%22WebCore::FontFallbackList::determinePitch%22+stack_signature.contains:%22160602C%22803 KB Download
442 bytes View Download
964 KB Download