Issue metadata
Sign in to add a comment
|
Security: heap-use-after-free in blink::TouchAdjustment::nodeRespondsToTapGesture
Reported by
chromium...@gmail.com,
Aug 16 2016
|
||||||||||||||||||
Issue descriptionVERSION Chrome Version: 54.0.2830.0 canary (64-bit) Operating System: Windows 7 REPRODUCTION CASE 1. Navigate to chrome://md-settings 2. Open devtools and emulate 3. Select "Show home button" option rax=0700020100034000 rbx=0000044b76901b70 rcx=0000044b76901b70 rdx=000007fed5287608 rsi=0000000000000000 rdi=0000000000000000 rip=000007fed24b801b rsp=000000000031c470 rbp=000000000031c5a0 r8=0000000000000000 r9=0000044b76901b70 r10=000000007b9ddf6b r11=000000000031c420 r12=0000044f08622320 r13=0000000000000000 r14=0000000000000004 r15=0000000000000004 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!blink::TouchAdjustment::nodeRespondsToTapGesture+0x6f: 000007fe`d24b801b f6406006 test byte ptr [rax+60h],6 ds:07000201`00034060=?? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0031c470 000007fe`d24b7be2 chrome_child!blink::TouchAdjustment::nodeRespondsToTapGesture+0x6f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\page\touchadjustment.cpp @ 97] 00000000`0031c4a0 000007fe`d22edb8e chrome_child!blink::TouchAdjustment::compileSubtargetList+0x10e [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\page\touchadjustment.cpp @ 270] 00000000`0031cb30 000007fe`d22edb01 chrome_child!blink::findBestClickableCandidate+0x52 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\page\touchadjustment.cpp @ 490] 00000000`0031cba0 000007fe`d24b92a1 chrome_child!blink::EventHandler::bestClickableNodeForHitTestResult+0xfd [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\input\eventhandler.cpp @ 1762] 00000000`0031ccd0 000007fe`d24b941a chrome_child!blink::EventHandler::applyTouchAdjustment+0x59 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\input\eventhandler.cpp @ 2022] 00000000`0031cd20 000007fe`d24b91ca chrome_child!blink::EventHandler::hitTestResultForGestureEvent+0x122 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\input\eventhandler.cpp @ 1982] 00000000`0031cf30 000007fe`d254785c chrome_child!blink::EventHandler::targetGestureEvent+0x92 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\input\eventhandler.cpp @ 1945] 00000000`0031cff0 000007fe`d2545ec7 chrome_child!blink::WebViewImpl::handleGestureEvent+0x13c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\webviewimpl.cpp @ 806] 00000000`0031d2e0 000007fe`d2545d6a chrome_child!blink::PageWidgetDelegate::handleInputEvent+0xb7 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\pagewidgetdelegate.cpp @ 180] 00000000`0031d440 000007fe`d2545546 chrome_child!blink::WebViewImpl::handleInputEvent+0x152 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\webviewimpl.cpp @ 2221] 00000000`0031d560 000007fe`d254531e chrome_child!content::RenderWidgetInputHandler::HandleInputEvent+0x222 [c:\b\build\slave\win64-pgo\build\src\content\renderer\input\render_widget_input_handler.cc @ 323] 00000000`0031d8f0 000007fe`d255c003 chrome_child!content::RenderWidget::OnHandleInputEvent+0x16 [c:\b\build\slave\win64-pgo\build\src\content\renderer\render_widget.cc @ 677] 00000000`0031d920 000007fe`d255b84b chrome_child!IPC::MessageT<InputMsg_HandleInputEvent_Meta,std::tuple<blink::WebInputEvent const * __ptr64,ui::LatencyInfo,enum content::InputEventDispatchType>,void>::Dispatch<content::RenderWidget,content::RenderWidget,void,void (__cdecl content::RenderWidget::*)(blink::WebInputEvent const * __ptr64,ui::LatencyInfo const & __ptr64,enum content::InputEventDispatchType) __ptr64>+0xc3 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 121] 00000000`0031dbb0 000007fe`d2341819 chrome_child!content::RenderWidget::OnMessageReceived+0xef [c:\b\build\slave\win64-pgo\build\src\content\renderer\render_widget.cc @ 479] 00000000`0031dc40 000007fe`d2376425 chrome_child!content::RenderViewImpl::OnMessageReceived+0x199 [c:\b\build\slave\win64-pgo\build\src\content\renderer\render_view_impl.cc @ 1381] 00000000`0031dde0 000007fe`d23760ca chrome_child!IPC::MessageRouter::RouteMessage+0x29 [c:\b\build\slave\win64-pgo\build\src\ipc\message_router.cc @ 53] 00000000`0031de10 000007fe`d2210bf7 chrome_child!content::ChildThreadImpl::OnMessageReceived+0x9e [c:\b\build\slave\win64-pgo\build\src\content\child\child_thread_impl.cc @ 774] 00000000`0031dea0 000007fe`d266ba45 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl content::MojoShellConnectionImpl::*)(shell::Identity const & __ptr64) __ptr64,base::WeakPtr<content::MojoShellConnectionImpl> >,void __cdecl(shell::Identity const & __ptr64)>::Run+0x2f [c:\b\build\slave\win64-pgo\build\src\base\bind_internal.h @ 328] 00000000`0031ded0 000007fe`d266b962 chrome_child!content::InputEventFilter::HandleEventOnMainThread+0x81 [c:\b\build\slave\win64-pgo\build\src\content\renderer\input\input_event_filter.cc @ 253] 00000000`0031dfa0 000007fe`d205064e chrome_child!content::MainThreadEventQueue::PopEventOnMainThread+0xba [c:\b\build\slave\win64-pgo\build\src\content\renderer\input\main_thread_event_queue.cc @ 108]
,
Nov 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 16 2016Mergedinto: 638150
Status: Duplicate (was: Unconfirmed)