New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Sep 2010
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Use after free with SVG use referencing svg style element

Reported by kuz...@gmail.com, Jul 30 2010 Back to list

Issue description

with chrome it sees always comes to 00000000 
but chromium not
it does not crash safari


chromium 6.0.477.0 (53603)
chrome 5.0.375.125

1.svg
=============================
<?xml version="1.0" standalone="no"?>
<svg width="100%" height="100%"  version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">  
<style id="crash">
	<ff/>
</style>	
	<use xlink:href="#crash" /> 
 <k>
</svg>
 
1.txt
5.1 KB View Download

Comment 1 by jsc...@chromium.org, Jul 30 2010

Confirmed on trunk and stable. Looks like another use-after-free with the SVG use element. Taking a closer look at it now.

Comment 2 by jsc...@chromium.org, Jul 30 2010

 Issue 50713  has been merged into this issue.

Comment 3 by jsc...@chromium.org, Jul 30 2010

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-5 OS-All SecSeverity-High
Summary: Use after free with SVG use element style recalc

Comment 4 by jsc...@chromium.org, Jul 30 2010

Summary: Use after free with SVG use referencing svg style element

Comment 5 by jsc...@chromium.org, Jul 30 2010

Here's the explanation. The SVGStyleElement instance is getting prematurely deleted along with the shadow tree for the use element. I've reduced the testcase a bit more just to keep the stack smaller and destructions easy to follow. Filed upstream here:
https://bugs.webkit.org/show_bug.cgi?id=43260

I'm not getting a crash in Safari, but it is knocking out WebKit trunk.

Comment 6 by jsc...@chromium.org, Jul 31 2010

I confirmed on Friday that this is a general destruction ordering issue with use elements. I may have a fix, and will circle back on Monday.
Status: Available
 Issue 51252  may be a duplicate, but needs further investigation.

Comment 9 Deleted

Labels: -Mstone-5 Mstone-6
Status: WillMerge
Fix landed upstream as http://trac.webkit.org/changeset/66795
It should be an easy, low risk merge to stable.
Labels: reward-1000 reward-unpaid
@kuzzcc: congratulations! This report provisionally qualifies for a $1000 Chromium Security Reward! We are increasing this reward beyond the base level because:
- The initial comment contains a very simple repro.
- The initial comment includes a nice crash log which shows a crash trying to write to a register which has 16-bit Unicode ASCII text in it :)
(We are willing to overlook the duplicate bug(s) here on account of the good quality of the repro and crash record)
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Broke the compile, fixing.
3>d:\chrome\472\src\third_party\webkit\webcore\svg\SVGUseElement.cpp(127) : error C2248: 'WebCore::XMLDocumentParser::wellFormed' : cannot access private member declared in class 'WebCore::XMLDocumentParser'
3>        d:\chrome\472\src\third_party\WebKit\WebCore\dom\XMLDocumentParser.h(103) : see declaration of 'WebCore::XMLDocumentParser::wellFormed'
3>        d:\chrome\472\src\third_party\WebKit\WebCore\dom\XMLDocumentParser.h(73) : see declaration of 'WebCore::XMLDocumentParser'
compile fixed, looks like some other change did made this function public, so i did the same :)
------------------------------------------------------------------------
r58828 | inferno@chromium.org | Wed Sep 08 08:57:40 PDT 2010
Changed paths:
 M /branches/WebKit/472/WebCore/svg/SVGUseElement.cpp
 A /branches/WebKit/472/LayoutTests/svg/custom/use-invalid-style-expected.txt
 A /branches/WebKit/472/LayoutTests/svg/custom/use-invalid-style.svg
Merge 66795 - 2010-09-04  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nikolas Zimmermann.

        Prevent premature deletion of svg use shadow tree
        https://bugs.webkit.org/show_bug.cgi?id=43260

        Test: svg/custom/use-invalid-style.svg

        * svg/SVGUseElement.cpp:
        (WebCore::SVGUseElement::insertedIntoDocument):
        (WebCore::SVGUseElement::removedFromDocument):
        (WebCore::SVGUseElement::detach):
2010-09-04  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nikolas Zimmermann.

        Check for premature deletion of svg use shadow style element
        https://bugs.webkit.org/show_bug.cgi?id=43260

        * svg/custom/use-invalid-style-expected.txt: Added.
        * svg/custom/use-invalid-style.svg: Added.


BUG= 50712 

Review URL: http://codereview.chromium.org/3364011
------------------------------------------------------------------------
------------------------------------------------------------------------
r58841 | inferno@chromium.org | Wed Sep 08 09:56:31 PDT 2010
Changed paths:
 M /branches/WebKit/472/WebCore/dom/XMLDocumentParser.h
Fix SVG Compile.

BUG= 50712 

------------------------------------------------------------------------
Labels: -reward-unpaid
Payment is in the electronic system.
 Issue 66763  has been merged into this issue.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 26 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Mstone-6 -SecSeverity-High -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable M-6 Type-Bug-Security Security-Severity-High
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 31 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment