New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Not on Chrome anymore
Closed: Jan 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 444957: Heap-use-after-free in OpenPDFInReaderBubbleView::ButtonPressed

Reported by chromium...@gmail.com, Dec 24 2014

Issue description

VERSION
Chrome Version: 41.0.2257.0 canary / 39.0.2171.95 dev-m
Operating System: Win7
Crash ID: 5dc199ce255e6925

STEPS
1. Open repro-pdf.html
2. Click on the button to open test.pdf link in new tab and click on pdf bubble as in "1.png" then after 5s the page will be changed as in 2.png
3. click on "DONE" button or Open in Adobe Reader link.

The problem is that if a tab is changed location or closed via JavaScript, bubble isn't closing and is stays open.


eax=f8242b1e ebx=0c711718 ecx=09bcfb80 edx=0c711700 esi=0b95ac3c edi=0017eb60
eip=60fbed1b esp=0017ea24 ebp=0017ea34 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_602c0000!OpenPDFInReaderBubbleView::ButtonPressed+0x8:
60fbed1b ff5018          call    dword ptr [eax+18h]  ds:0023:f8242b36=????????
0:000> k
ChildEBP RetAddr  
0017ea24 6144cc46 chrome_602c0000!OpenPDFInReaderBubbleView::ButtonPressed+0x8 [c:\b\build\slave\win\build\src\chrome\browser\ui\views\open_pdf_in_reader_bubble_view.cc @ 68]
0017ea34 61458256 chrome_602c0000!views::Button::NotifyClick+0x17 [c:\b\build\slave\win\build\src\ui\views\controls\button\button.cc @ 75]
0017ea50 614433d1 chrome_602c0000!views::CustomButton::OnMouseReleased+0x62 [c:\b\build\slave\win\build\src\ui\views\controls\button\custom_button.cc @ 157]
0017ea6c 61443117 chrome_602c0000!views::View::ProcessMouseReleased+0x6f [c:\b\build\slave\win\build\src\ui\views\view.cc @ 2299]
0017ea80 605aae89 chrome_602c0000!views::View::OnMouseEvent+0x8e [c:\b\build\slave\win\build\src\ui\views\view.cc @ 988]
0017ea94 605abc75 chrome_602c0000!ui::EventHandler::OnEvent+0x32 [c:\b\build\slave\win\build\src\ui\events\event_handler.cc @ 29]
0017eaac 605aae1a chrome_602c0000!ui::EventTarget::OnEvent+0x32 [c:\b\build\slave\win\build\src\ui\events\event_target.cc @ 64]
0017eac4 605aac26 chrome_602c0000!ui::EventDispatcher::DispatchEvent+0x3d [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 190]
0017eae0 605aab26 chrome_602c0000!ui::EventDispatcher::ProcessEvent+0x86 [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 138]
0017eb14 605aa16c chrome_602c0000!ui::EventDispatcherDelegate::DispatchEventToTarget+0x2a [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 86]
0017eb3c 61461863 chrome_602c0000!ui::EventDispatcherDelegate::DispatchEvent+0x5b [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 57]
0017ed14 6144969f chrome_602c0000!views::internal::RootView::OnMouseReleased+0x8a [c:\b\build\slave\win\build\src\ui\views\widget\root_view.cc @ 456]
0017ed44 6144ac6b chrome_602c0000!views::Widget::OnMouseEvent+0xc3 [c:\b\build\slave\win\build\src\ui\views\widget\widget.cc @ 1233]
0017ed58 605aae89 chrome_602c0000!views::DesktopNativeWidgetAura::OnMouseEvent+0x31 [c:\b\build\slave\win\build\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc @ 1043]
0017ed6c 605abc6c chrome_602c0000!ui::EventHandler::OnEvent+0x32 [c:\b\build\slave\win\build\src\ui\events\event_handler.cc @ 29]
0017ed84 605aae1a chrome_602c0000!ui::EventTarget::OnEvent+0x29 [c:\b\build\slave\win\build\src\ui\events\event_target.cc @ 63]
0017ed9c 605aac26 chrome_602c0000!ui::EventDispatcher::DispatchEvent+0x3d [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 190]
0017edb8 605aab26 chrome_602c0000!ui::EventDispatcher::ProcessEvent+0x86 [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 138]
0017edec 605aa16c chrome_602c0000!ui::EventDispatcherDelegate::DispatchEventToTarget+0x2a [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 86]
0017ee14 605a971d chrome_602c0000!ui::EventDispatcherDelegate::DispatchEvent+0x5b [c:\b\build\slave\win\build\src\ui\events\event_dispatcher.cc @ 57]
 
test.pdf
3.5 MB Download
repro-pdf.html
185 bytes View Download

Comment 1 by rsesek@chromium.org, Dec 24 2014

Cc: sadrul@chromium.org tsepez@chromium.org
Labels: Cr-Internals-Plugins-PDF Cr-UI Security_Severity-Medium Security_Impact-Stable Security_Impact-Beta M-40 Pri-1
Owner: bauerb@chromium.org
Status: Assigned
bauerb: According to the history, you added this code a long time ago.

Comment 2 by ClusterFuzz, Dec 24 2014

Project Member
Labels: -Security_Impact-Beta

Comment 3 by bauerb@chromium.org, Jan 5 2015

Status: Started

Comment 4 by rsesek@chromium.org, Jan 5 2015

Labels: reward-topanel

Comment 5 by bauerb@chromium.org, Jan 6 2015

Cc: cpu@chromium.org

Comment 6 by bugdroid1@chromium.org, Jan 6 2015

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/432eb007ad1d67d12d2a9d69a0f6e78b9efee9b1

commit 432eb007ad1d67d12d2a9d69a0f6e78b9efee9b1
Author: bauerb <bauerb@chromium.org>
Date: Tue Jan 06 23:17:45 2015

Hide the "Open PDF in Reader" bubble on navigations.

BUG= 444957 

Review URL: https://codereview.chromium.org/831283002

Cr-Commit-Position: refs/heads/master@{#310167}

[modify] http://crrev.com/432eb007ad1d67d12d2a9d69a0f6e78b9efee9b1/chrome/browser/ui/views/location_bar/open_pdf_in_reader_view.cc

Comment 7 by bauerb@chromium.org, Jan 7 2015

Status: Fixed

Comment 8 by bauerb@chromium.org, Jan 7 2015

Robert, do you want me to merge this to M40?

Comment 9 by ClusterFuzz, Jan 7 2015

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-41 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

Comment 10 by infe...@chromium.org, Jan 7 2015

Labels: -Merge-Triage -M-39 Release-1-M41
This can just roll in M41, no need to merge this medium severity bug.

Comment 11 by timwillis@google.com, Apr 14 2015

Cc: timwillis@chromium.org
Labels: -reward-topanel reward-unpaid CVE-2015-1245 reward-500
Congratulations - $500 for this report.

Notes from panel: Use-after-free though required a very unique set of interactions that seems unlikely, which is why the reward amount is lower than usual.

Even though this fix rolled out with a patch to M41, we'll mention it in our release notes for M42.

Comment 12 by ClusterFuzz, Apr 15 2015

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 13 by timwillis@google.com, May 6 2015

Labels: -reward-unpaid reward-inprocess

Comment 14 by timwillis@google.com, Jun 25 2015

Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!

Comment 15 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 18 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment