New issue
Advanced search Search tips

Issue 638632 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Stack overflow using ~300 nested buttons

Reported by greencar...@hotmail.com, Aug 17 2016 
VULNERABILITY DETAILS
Nesting roughly 300 buttons causes a stack overflow, I get different stack traces so there might be some corruption going on?

VERSION
Chrome Version: Version 52.0.2743.116 m + stable (64-bit)
Operating System: Window 8.1 64-bit

REPRODUCTION CASE
Check attached POC

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab

STACK_TEXT:  
00000037`4dba3fe0 00007ff8`97f9652e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutObject::isAnonymousBlock+0x3e
00000037`4dba4010 00007ff8`97f9667d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::shouldTruncateOverflowingText+0xe
00000037`4dba4040 00007ff8`97f5390f : 00000180`00000000 00000229`89847390 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0xdd
00000037`4dba4460 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba4530 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba4710 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba45e0 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba4710 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba4610 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba4a44 00000037`4dba4a18 00000037`4dba4aa0 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba49b0 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba4b40 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba4cd0 00007ff8`97f969bd : 00000229`00000000 00000229`898438a8 00000037`4dba4e00 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba4d00 00007ff8`97f5390f : 00000180`00000000 00000229`898472a0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba5120 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba51f0 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba53d0 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba52a0 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba53d0 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba52d0 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba5704 00000037`4dba56d8 00000037`4dba5760 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba5670 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba5800 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba5990 00007ff8`97f969bd : 00000229`00000000 00000229`89843770 00000037`4dba5ac0 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba59c0 00007ff8`97f5390f : 00000180`00000000 00000229`898471b0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba5de0 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba5eb0 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba6090 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba5f60 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba6090 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba5f90 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba63c4 00000037`4dba6398 00000037`4dba6420 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba6330 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba64c0 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba6650 00007ff8`97f969bd : 00000229`00000000 00000229`89843638 00000037`4dba6780 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba6680 00007ff8`97f5390f : 00000180`00000000 00000229`898470c0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba6aa0 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba6b70 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba6d50 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba6c20 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba6d50 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba6c50 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba7084 00000037`4dba7058 00000037`4dba70e0 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba6ff0 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba7180 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba7310 00007ff8`97f969bd : 00000229`00000000 00000229`89843500 00000037`4dba7440 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba7340 00007ff8`97f5390f : 00000180`00000000 00000229`89846fd0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba7760 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba7830 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba7a10 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba78e0 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba7a10 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba7910 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba7d44 00000037`4dba7d18 00000037`4dba7da0 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba7cb0 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba7e40 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba7fd0 00007ff8`97f969bd : 00000229`00000000 00000229`898433c8 00000037`4dba8100 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba8000 00007ff8`97f5390f : 00000180`00000000 00000229`89846ee0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba8420 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba84f0 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba86d0 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba85a0 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba86d0 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba85d0 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba8a04 00000037`4dba89d8 00000037`4dba8a60 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba8970 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba8b00 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba8c90 00007ff8`97f969bd : 00000229`00000000 00000229`89843290 00000037`4dba8dc0 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba8cc0 00007ff8`97f5390f : 00000180`00000000 00000229`89846df0 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba90e0 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba91b0 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dba9390 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba9260 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dba9390 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba9290 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dba96c4 00000037`4dba9698 00000037`4dba9720 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dba9630 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dba97c0 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dba9950 00007ff8`97f969bd : 00000229`00000000 00000229`89843158 00000037`4dba9a80 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba9980 00007ff8`97f5390f : 00000180`00000000 00000229`89846d00 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dba9da0 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dba9e70 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dbaa050 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dba9f20 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dbaa050 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dba9f50 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dbaa384 00000037`4dbaa358 00000037`4dbaa3e0 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dbaa2f0 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
00000037`4dbaa480 00007ff8`97f2153e : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutBlock+0x2bb
00000037`4dbaa610 00007ff8`97f969bd : 00000229`00000000 00000229`89843020 00000037`4dbaa740 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dbaa640 00007ff8`97f5390f : 00000180`00000000 00000229`89846c10 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutInlineChildren+0x41d
00000037`4dbaaa60 00007ff8`97f532e9 : 00000000`00000000 00007ff8`00000001 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x34f
00000037`4dbaab30 00007ff8`97f2153e : 00000000`00000000 00000000`00000000 00000000`00000000 00000037`4dbaad10 : chrome_child!blink::LayoutBlockFlow::layoutBlock+0xf9
00000037`4dbaabe0 00007ff8`97ed8014 : 00000000`00000000 00000000`00000001 00000037`4dbaad10 00000000`00000000 : chrome_child!blink::LayoutBlock::layout+0xbe
00000037`4dbaac10 00007ff8`97ed4a80 : 00000229`00000000 00000037`4dbab044 00000037`4dbab018 00000037`4dbab0a0 : chrome_child!blink::LayoutFlexibleBox::layoutAndPlaceChildren+0x754
00000037`4dbaafb0 00007ff8`97ed239b : 00000180`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome_child!blink::LayoutFlexibleBox::layoutFlexItems+0x480
q.html
290 bytes View Download

Comment 1 by greencar...@hotmail.com, Aug 17 2016 

Seems to crash when we set the if statement to i<300 (give or take). But lets say you crash at setting if(i<305), then make it if(i<305) and add random elements instead of a button and we seem to get different stack trace.

Comment 2 by jialiul@chromium.org, Aug 17 2016

Status: WontFix (was: Unconfirmed)
Thanks for reporting!
This is just like you're writing a infinite loop, and eventually tab will crash because of out of memory..

Comment 3 by greencar...@hotmail.com, Aug 17 2016 

But there is not infinite loop here.

And Im getting different stack traces if I stop by say i<305, then I append random textarea with a big text, I get different stack trace signature..

00000074`00743fa0 00007ff8`c2961ea2 : 00000000`00000000 00000074`04b067c0 00000000`00000000 00000074`007442d8 : dwrite!FontFileReference::ReadIntoBuffer+0x68
00000074`00744090 00007ff8`c2961d92 : 00000074`04070000 00000074`04070000 00000000`0000000c 00007ff8`c2961ff1 : dwrite!OpenTypeTableDirectory::GetTableCount+0x32
00000074`00744120 00007ff8`c297e5a4 : 00000074`00744248 00000074`00000000 00000000`00000048 00000074`04b067c0 : dwrite!OpenTypeTableDirectory::OpenTypeTableDirectory+0x72
00000074`00744210 00007ff8`98233464 : 00000000`00000000 00000000`ffffffff 00000000`00000000 00000000`00000000 : dwrite!DWriteFontFace::TryGetFontTable+0x84
00000074`007442a0 00007ff8`977a6caf : 00000074`03eb1f90 00000074`0399fb40 00000000`00000048 00007ff8`98c7caaf : chrome_child!DWriteFontTypeface::onGetTableData+0x74
00000074`00744300 00007ff8`99025061 : 00000000`00000048 00007ff8`98c7ca4b 00000000`00000000 00000000`00000000 : chrome_child!SkTypeface::getTableSize+0x1f
00000074`00744340 00007ff8`99adeefa : 00000000`00000000 00007ff8`99af1ff8 00000074`03cf5c60 00000000`00000000 : chrome_child!blink::harfBuzzSkiaGetTable+0x21
00000074`00744380 00007ff8`99ae6490 : 00000000`00000000 00007ff8`99af1ff8 ffffffff`ffffffff 00000000`00000000 : chrome_child!_hb_ot_layout_create+0x4a
00000074`007443c0 00007ff8`99af2323 : 00000074`03d6b0d0 00000000`00000000 00000074`04b067c0 00000074`03d6b0d0 : chrome_child!hb_ot_shaper_face_data_ensure+0x2c
00000074`007443f0 00007ff8`99af24f3 : 00000074`03d6b0d0 00000074`03cf5c60 00000000`00000000 00000074`00744750 : chrome_child!hb_shape_plan_plan+0x7f
00000074`00744460 00007ff8`99af26e8 : 00000000`00000000 00000074`00744531 00000074`03cf5c60 00000000`00000000 : chrome_child!hb_shape_plan_create+0x127
00000074`007444d0 00007ff8`9a114d6b : 00000074`03a4a7f0 00000074`03a4a860 00000000`00000000 00000000`00000000 : chrome_child!hb_shape_plan_create_cached+0x1c0
00000074`00744590 00007ff8`9a114d2b : 00000074`03a4a7f0 000002d6`efc1c548 00000074`00744760 00000074`00744980 : chrome_child!hb_shape_full+0x3b
00000074`007445d0 00007ff8`99def833 : 00000000`00000000 00000074`03a4a7f0 00000074`00744760 00000074`00744770 : chrome_child!hb_shape+0xf

Comment 4 by greencar...@hotmail.com, Aug 17 2016 

I had a friend test this on ASAN build and it looks like there is a memory read:

view attached.

Friend is Ibrahim M Elsayed
ASAN-BUILD-LOG.txt
14.3 KB View Download
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 24 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment