Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Jun 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Crash with invalid images.
Reported by javg0...@gmail.com, May 26 2010 Back to list
Chrome-Version: 5.0.375.55
OS: Windows XP SP3

PoC attached.

Steps to reproduce:

1.- Open file test.html
2.- Second button -> copy image
3.- Crash...

Info:

Excepción de aplicación ocurrida:
        Aplicación: C:\Documents and Settings\Jose\Configuración
local\Datos de programa\Google\Chrome\Application\chrome.exe (pid=1812)
        Fecha y hora: 27/05/2010 a las 00:22:47.828
        Número de excepción: c0000005 (infracción de acceso)

*----> Estado para identificador de subproceso 0x7dc <----*

eax=0012f5c8 ebx=0012f5c8 ecx=0000000a edx=017ee000 esi=00000000 edi=0012f5c8
eip=01efe191 esp=0012f550 ebp=0012f5f4 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

Defaulted to export symbols for C:\Documents and
Settings\Jose\Configuración local\Datos de
programa\Google\Chrome\Application\5.0.375.55\chrome.dll - 
función: chrome!Hunspell_create_key
        01efe17b 56               push    esi
        01efe17c 8b742410         mov     esi,[esp+0x10]
        01efe180 57               push    edi
        01efe181 3bde             cmp     ebx,esi
        01efe183 745a             jz   chrome!Hunspell_create_key+0x1d7ad4
(01efe1df)
        01efe185 8bc3             mov     eax,ebx
        01efe187 e894030000       call chrome!Hunspell_create_key+0x1d7e15
(01efe520)
        01efe18c 6a0a             push    0xa
        01efe18e 59               pop     ecx
        01efe18f 8bfb             mov     edi,ebx
ERROR -> 01efe191 f3a5            rep  movsd ds:00000000=????????
es:0012f5c8=00000000
        01efe193 8b742414         mov     esi,[esp+0x14]
        01efe197 8b4604           mov     eax,[esi+0x4]
        01efe19a 8b3d2c746d02     mov     edi,[chrome+0xaa742c (026d742c)]
        01efe1a0 85c0             test    eax,eax
        01efe1a2 7406             jz   chrome!Hunspell_create_key+0x1d7a9f
(01efe1aa)
        01efe1a4 83c004           add     eax,0x4
        01efe1a7 50               push    eax
        01efe1a8 ffd7             call    edi
        01efe1aa 8b36             mov     esi,[esi]
        01efe1ac 85f6             test    esi,esi

*----> Seguimiento regresivo de pila <----*

0012f5f4 01de5724 00000000 0012f678 0012f72c
chrome!Hunspell_create_key+0x1d7a86
0012f718 01cf9c7c 02ecabd0 0012f72c 0177d000 chrome!Hunspell_create_key+0xbf019
0012f7d0 01e9399d 00000000 02e79250 01794400 chrome!ChromeMain+0xc6738
0012f864 01fea0f4 0012f870 00000047 00000059
chrome!Hunspell_create_key+0x16d292
0012f878 01fe8bcf 00000047 00000059 01777004
chrome!Hunspell_create_key+0x2c39e9
0012f960 0226b069 02e79250 017403e8 0226b043
chrome!Hunspell_create_key+0x2c24c4
0012f994 020ae846 02e79250 00000000 01fc3e2e
chrome!Hunspell_create_key+0x54495e
0012f9e8 01fd3c88 01777000 0012fb08 00000000
chrome!Hunspell_create_key+0x38813b
0012fa14 01fc3cd9 0012fb08 01777004 01fc3c5e
chrome!Hunspell_create_key+0x2ad57d
0012fa48 01fddc4d 02979114 0012fe10 00000000
chrome!Hunspell_create_key+0x29d5ce
0012fcb0 01c33bac 00000007 003e5d88 01c33544
chrome!Hunspell_create_key+0x2b7542
0012fe6c 00403439 00400000 0012ff28 000207c0 chrome!ChromeMain+0x668
0012fed0 00403aa2 00400000 0012ff28 fffffffe chrome+0x3439
0012ff30 00445e3d 00400000 00000000 00020898 chrome+0x3aa2
0012ffc0 7c817067 7c80e534 00000000 7ffda000 chrome+0x45e3d
0012fff0 00000000 00445ea8 00000000 78746341
kernel32!RegisterWaitForInputIdle+0x49



 
testgif.gif
33.7 KB View Download
test.html
42 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit
Status: Available
I can reproduce the crash on v5 stable and v6 trunk. it does require user interaction
of user right clicking and then selecting copy image. it does reproduce on safari
nightly as well. filing a webkit bug.
filed webkit bug - https://bugs.webkit.org/show_bug.cgi?id=39797
Labels: -Pri-2 Pri-3 SecSeverity-None
I looked more. For Chrome, it is a simple null deref. Below bitmap is null.

void Pasteboard::writeImage(Node* node, const KURL&, const String& title)
....
    NativeImagePtr bitmap = image->nativeImageForCurrentFrame();
    ChromiumBridge::clipboardWriteImage(bitmap, url, title);

Leaving the security flag since it is DOS for webkit.
Comment 4 by karen@chromium.org, May 27 2010
Labels: Mstone-X
Labels: -SecSeverity-None -Mstone-X SecSeverity-Low Mstone-6
Status: WillMerge
Summary: Crash with invalid images. (was: NULL)
Patch committed upstream -  http://trac.webkit.org/changeset/60973, Build Fix - http://trac.webkit.org/changeset/60977
It does affect one more file which might not require user interaction. keeping secseverity-low for now.
Comment 6 by jsc...@chromium.org, Jun 17 2010
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Bulk edit for SecurityNotify Migration.
Labels: -Mstone-6 Mstone-5
Comment 8 by bugdro...@gmail.com, Jun 28 2010
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=51016 

------------------------------------------------------------------------
r51016 | inferno@chromium.org | 2010-06-28 12:31:58 -0700 (Mon, 28 Jun 2010) | 26 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/platform/chromium/PasteboardChromium.cpp?r1=51016&r2=51015
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebKit/chromium/src/WebImageCG.cpp?r1=51016&r2=51015

Merge 60973 - 2010-06-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Dimitri Glazkov.

        Add null pointer checks for nativeImageForCurrentFrame
        function calls.
        https://bugs.webkit.org/show_bug.cgi?id=39797

        * platform/chromium/PasteboardChromium.cpp:
        (WebCore::Pasteboard::writeImage):
        
2010-06-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Dimitri Glazkov.

        Add null pointer checks for nativeImageForCurrentFrame
        function calls.
        https://bugs.webkit.org/show_bug.cgi?id=39797

        * src/WebImageCG.cpp:
        (WebKit::WebImage::WebImage):
        (WebKit::WebImage::operator=):

BUG= 45164 
TBR=hamaji@chromium.org
Review URL: http://codereview.chromium.org/2843029
------------------------------------------------------------------------

Status: FixUnreleased
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=51017 

------------------------------------------------------------------------
r51017 | inferno@chromium.org | 2010-06-28 12:33:51 -0700 (Mon, 28 Jun 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebKit/chromium/src/WebImageCG.cpp?r1=51017&r2=51016

Merge 60977 - Not reviewed, Chromium build fix from Abhishek Arya.

* src/WebImageCG.cpp:
(WebKit::WebImage::WebImage):
(WebKit::WebImage::operator=):

BUG= 45164 
TBR=dimich@chromium.org
Review URL: http://codereview.chromium.org/2850034
------------------------------------------------------------------------

Hey,

I've seen credits about this bug but I would like to use my real name (question for search job), could you change it?

I would like to be credit how:
Jose A. Vazquez (link-to-my-blog:http://spa-s3c.blogspot.com/)

I think that you generally ask about it. Thanks.


Sorry about that Jose, we forgot to get your full info before the patch went out.

Jason, Anthony, can you please update the blog post with Jose's name and hyperlink to his site.
I updated the post with credit as requested!
Thanks ;)
Labels: -Restrict-View-SecurityNotify
Status: Fixed
Was fixed in 5.0.375.99; releasing.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 18 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 19 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -SecSeverity-Low -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content Security-Severity-Low M-5 Security-Impact-Stable Type-Bug-Security
Project Member Comment 20 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 21 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 22 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 23 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 24 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 25 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment