New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 51654 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Aug 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Memory corruption with moving ruby text nodes to runs without ruby bases.

Reported by kuz...@gmail.com, Aug 10 2010

Issue description

1.htm
========================

<script> 
function crash(){
document.getElementsByTagName("body")[0].outerHTML=1
}
</script> 
<body onload='crash()'> 
<ruby> 
<fieldset/> 
</ruby> 
<rt> 
</rt> 
<blockquote> 
<body> 
</body> 
</blockquote> 
<rt/><rt/> 
</body>

chromium 6.0.490.0 (55524)
 
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High Mstone-6
Status: Available
This is a user after free incorrectly done in one of the object destructor. So, definitely a secseverity high. Since probably there would be no more v5 patches after the upcoming one, marking this M6. I will take a closer look in morning.
Summary: Use after free in renderobject destroy function.
Summary: Memory corruption with moving ruby text nodes to runs without ruby bases.
Filed webkit bug - https://bugs.webkit.org/show_bug.cgi?id=43795
Labels: -Restrict-View-SecurityTeam -Mstone-6 Restrict-View-SecurityNotify Mstone-5
Status: WillMerge
Committed r65090: <http://trac.webkit.org/changeset/65090>

Comment 5 by bugdro...@gmail.com, Aug 12 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55883 

------------------------------------------------------------------------
r55883 | inferno@chromium.org | 2010-08-12 07:11:08 -0700 (Thu, 12 Aug 2010) | 26 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/472/LayoutTests/fast/ruby/ruby-remove-no-base-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/472/LayoutTests/fast/ruby/ruby-remove-no-base.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/472/WebCore/rendering/RenderRubyRun.cpp?r1=55883&r2=55882

Merge 65090 - 2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Take checks for ruby base existence out of the ASSERTs.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        Test: fast/ruby/ruby-remove-no-base.html

        * rendering/RenderRubyRun.cpp:
        (WebCore::RenderRubyRun::addChild):
        (WebCore::RenderRubyRun::removeChild):
2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that removing a ruby child which causes merging of ruby base withe
        a non existant base of the right sibling run does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        * fast/ruby/ruby-remove-no-base-expected.txt: Added.
        * fast/ruby/ruby-remove-no-base.html: Added.

BUG= 51654 

Review URL: http://codereview.chromium.org/3160007
------------------------------------------------------------------------

Comment 6 by bugdro...@gmail.com, Aug 12 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55884 

------------------------------------------------------------------------
r55884 | inferno@chromium.org | 2010-08-12 07:17:28 -0700 (Thu, 12 Aug 2010) | 26 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/ruby/ruby-remove-no-base-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/ruby/ruby-remove-no-base.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderRubyRun.cpp?r1=55884&r2=55883

Merge 65090 - 2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Take checks for ruby base existence out of the ASSERTs.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        Test: fast/ruby/ruby-remove-no-base.html

        * rendering/RenderRubyRun.cpp:
        (WebCore::RenderRubyRun::addChild):
        (WebCore::RenderRubyRun::removeChild):
2010-08-10  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that removing a ruby child which causes merging of ruby base withe
        a non existant base of the right sibling run does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=43795

        * fast/ruby/ruby-remove-no-base-expected.txt: Added.
        * fast/ruby/ruby-remove-no-base.html: Added.

BUG= 51654 

Review URL: http://codereview.chromium.org/3179009
------------------------------------------------------------------------

Status: FixUnreleased
Labels: reward-1000 reward-unpaid
@kuzzcc: congratulations! We'd like to provisionally offer you a $1000 reward for your help in reporting this bug. We are rewarding this higher amount because this is a "high quality report":
- The repro is small and fairly well reduced.
- The repro triggers the bug reliably.
Please continue to keep the details confidential until we release the fix in a patch. Also, once we've released the fix, please be considerate that other WebKit-based products might be releasing fix on different timelines.

In order to be sure to get the increased rewards for "high quality" reports in the future, please be sure to:
- Avoid filing duplicate bugs! If the stack trace and/or repros look similar, then the underlying bug may be the same.
- Include stack traces where possible.
- Always include an explanation of why it is a security bug. In the case of bugs like this bug, ALWAYS include details of the crash (assembly instruction and register contents).
- Where applicable, please include proof why a crash is more that just a null pointer dereference.
Can't repro with 375.126 and 375.127 on Win
Labels: -reward-unpaid
Payment is in the electronic system.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -SecSeverity-High -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content M-5 Security-Impact-Stable Type-Bug-Security Security-Severity-High
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment