New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Sign in to add a comment

Issue 586628: Security: Denial of Service attack against Chrome on OS X on LAN

Reported by, Feb 12 2016

Issue description

Sending malformed UTF-8 in mDNS TXT messages causes a NULL pointer dereference.  If an HP network printer with Google Cloud Print has a name containing emojis, this will happen automatically.  Trivial replay of these packets crashes all OS X Chromes on the network within five seconds.

The relevant lines in the Chromium source:

(NSString initWithBytes returns nil if the bytes aren't valid UTF-8.)

vlog output just before crash:
[1017:3343:0212/] Resolving service :printer:downstairs._privet._tcp.local
[1017:99123:0212/] ServiceResolverImplMac::ServiceResolverImplMac::StartResolvingOnDiscov
eryThread: Success
[1017:3343:0212/] ServiceWatcherImplMac::OnServicesUpdate: :printer:downstairs._privet._tcp.local
[1017:3343:0212/] OnServiceUpdated: service_type: _privet._tcp.local, service_name: :printer:downstairs._privet._tcp.local, update: 1
[1017:3343:0212/] Resolver already exists, service_name: :printer:downstairs._privet._tcp.local
[1017:99123:0212/] ServiceResolverImplMac::NetServiceContainer::StartResolvingOnDiscoveryThread: :printer:downstairs._privet._tcp.local, instance: :printer:downstairs, type: _privet._tcp., domain: local.
[1017:99123:0212/] ParseTxtRecord: 176
[1017:99123:0212/] TxtRecord: txtvers=1
[1017:99123:0212/] TxtRecord: UUID=50484256-4330-3130-3031-5820b14f2d90
[1017:99123:0212/] TxtRecord: ty=�� downstairs

Chrome Version: 48.0.2564.109 stable
Operating System: OS X 10.11.3

See attached script.

Type of crash: browser
Crash State: see second attached text file.
2.5 KB View Download
88.3 KB View Download

Comment 1 by, Feb 13 2016

Labels: Security_Severity-Low Cr-Internals-Printing M-50 Pri-2
Status: Assigned
Thanks for the detailed report. Mind taking a look at this, vitalybuka@? I'm not very familiar with objective c, but it looks like we need to check for null before calling UTF8String?

Comment 2 by ClusterFuzz, Feb 13 2016

Project Member
Labels: Security_Impact-Head

Comment 3 by ClusterFuzz, Mar 3 2016

Project Member
Labels: -Security_Impact-Head Security_Impact-Beta

Comment 4 by, Apr 4 2016

Owner: ----
Status: Available (was: Assigned)

Comment 5 by, Apr 14 2016

Project Member
Labels: -Security_Impact-Beta Security_Impact-Stable

Comment 6 by, May 26 2016

Project Member
Labels: -M-50 M-51

Comment 7 by, Jun 15 2016

Labels: -M-51 M-53 OS-Mac
shrike: Can you help find an owner for this bug? The code in question is currently at

Comment 8 by, Jun 15 2016

So, I don't have a way to easily build chromium right now, but this issue is really annoying, so I'm attaching a patch to maybe get the ball rolling.  HTH.
812 bytes Download

Comment 9 by, Jun 15 2016

Status: Assigned (was: Available)
rsesek@ - can you take a look?

Comment 10 by, Jul 8 2016

Status: Started (was: Assigned)
The patch in #8 is a start, but I also noticed that this file has a bunch of leaks it, and also can mishandle UTF-8 in other strings. CL is now out for review along with regression tests:

Comment 11 by, Jul 11 2016


Comment 12 by, Jul 12 2016

Project Member
The following revision refers to this bug:

commit 4de054ddd802a66e912b5d1e29666d58413148ff
Author: rsesek <>
Date: Tue Jul 12 04:12:39 2016

[Mac] Make the local_discovery client more resilient to invalid UTF-8.

Both service names and TXT records could contain invalid code unit sequences
that could later lead to crashes. This change also fixes several NSObject leaks.

BUG= 586628 

Cr-Commit-Position: refs/heads/master@{#404781}


Comment 13 by, Jul 12 2016

Labels: -M-53 M-54
Status: Fixed (was: Started)

Comment 14 by, Jul 13 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by, Aug 8 2016

 Issue 630838  has been merged into this issue.

Comment 16 by, Oct 10 2016

Labels: Release-0-M54

Comment 17 by, Oct 10 2016

Labels: -Type-Bug-Security -Security_Severity-Low -Release-0-M54 Type-Bug

Comment 18 by, Oct 19 2016

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment