New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 595637 link

Starred by 1 user
Status: WontFix
Owner:
mea...@chromium.org
Closed: Mar 2016
Cc:
v...@jpcert.or.jp
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Crash when emoji characters are present in title

Project Member Reported by koto@google.com, Mar 17 2016 
I'm just forwarding a report from JP-CERT about some crash. Their tracking #: VN: JVN#07091981 / TN: JPCERT#96464494 . I did not try to repro.


VULNERABILITY DETAILS
Crash. No code execution confirmed.

VERSION
Chrome Version: 46.0.2490.80 (64-bit) 
Operating System:   Mac OS X 10.9.5 (Mavericks) 

REPRODUCTION CASE
Application ends abnormally 
<Taken from crash report> 
Exception Type: EXC_BAD_ACCESS (SIGSEGV) 
Exception Codes: EXC_I386_GPFLT 

- Reproduction Procedure: 
In Google Chrome, load a html file whose charset is set to utf-8, which has a 
title tag with the following 3 characters consecutively: 
(an arbitrary multi-byte character \xe3\x81\x82),&#9996;(peace sign emoji \xe2\x9c\x8c),&#127995,&#65039;(white skin emoji \xf0\x9f\x8f\xbb\xef\xb8\x8f) 
Possibility of arbitrary code execution is unknown 

This could not be reproduced in Firefox 42.0, Safari 9.0.1 (9537.86.2.7.2) 
Also, this could not be reproduced in OS X Yosemite 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: sorry, i have no details of those. 
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
JVN07091981_files.zip
192 bytes Download

Comment 1 Deleted

Comment 2 by koto@google.com, Mar 17 2016 

Please cc vuls@jpcert.or.jp

Comment 3 by mea...@chromium.org, Mar 17 2016

Cc: v...@jpcert.or.jp

Comment 4 by mea...@chromium.org, Mar 17 2016 

This sounds very similar to crbug.com/589966. Do you happen to have a crash id?

Comment 5 by mea...@chromium.org, Mar 18 2016

Labels: Needs-Feedback
Ping, do you think this is the same bug as crbug.com/589966?

Comment 6 by koto@google.com, Mar 18 2016 

I don't know, this is the issue reported through JP-CERT (cc'd). I can't repro this on 48 nor 50 on OSX 10.11.3, so it might already be fixed.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 19 2016

Labels: -Needs-Feedback Needs-Review
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)
Thank you for providing more feedback. Assigning to requester "meacer@chromium.org" for another review.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mea...@chromium.org, Mar 20 2016

Status: WontFix (was: Assigned)
I can't reproduce this on OSX 10.11.3 so closing

vuls@jpcert.or.jp: Please let us know if you have new information. Thanks.
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 27 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment