New issue
Advanced search Search tips

Issue 661867 link

Starred by 1 user
Status: Fixed
Owner:
dpa...@chromium.org
Closed: Nov 2016
Cc:
dbeam@chromium.org
dpa...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Regression: heap-buffer-overflow in url::Parsed::Parsed

Reported by chromium...@gmail.com, Nov 3 2016 
VERSION
Chrome Version: 56.0.2907.0 canary (64-bit)
Operating System: Windows 7 

REPRODUCTION CASE
1. Navigate to chrome://md-settings
2. Scroll down to "On startup" and select "Open a Specific page or set of pages"
3. Add two new site URLs then try to edit the second added site URL 
4. Open chrome://md-settings on a new tab and Scroll down to "On startup" 
5. Try to remove the second added site URL and switch the first tab (chrome://md-settings) and click on edit.

Note: I don't know why I cannot get the asan trace symbolized on Windows.
ASan-output.txt
7.8 KB View Download
Recording.mp4
1.1 MB View Download

Comment 1 by nparker@chromium.org, Nov 3 2016

Cc: dbeam@chromium.org
Components: UI>Settings
Labels: Security_Severity-Medium Security_Impact-Head OS-Mac OS-Windows Pri-1
Owner: dpa...@chromium.org
Status: Assigned (was: Unconfirmed)
dpapad -- Can you take a look at this, and reassign if appropriate?  It causes a browser crash.

I repro'd this on mac, on both canary (.8) and stable (54.0.2840.71).
Stable crash: https://crash.corp.google.com/browse?stbtiq=f08d3b7900000000

I'm assuming this not an problem with url::Parsed, but instead with settings::StartupPagesHandler::HandleEditStartupPage() since it may be accessing a URL that not longer exists.

Comment 2 by dpa...@chromium.org, Nov 3 2016

Labels: Proj-MaterialDesign-WebUI
Does it also happen on the old Options page (I think you can still get to it on canary at chrome://settings-frame)?

Comment 3 by chromium...@gmail.com, Nov 4 2016 

No I don't see any crash on the old options page (chrome://settings).
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 4 2016

Labels: M-56
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 4 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by dpa...@chromium.org, Nov 4 2016

Status: Started (was: Assigned)

Comment 7 by dpa...@chromium.org, Nov 4 2016 

Given that MD Settings has not shipped (not even to Dev), should this be a RB for beta?

Comment 8 by dpa...@chromium.org, Nov 4 2016 

FYI, candidate fix is at https://codereview.chromium.org/2477693005.

Comment 10 by dpa...@chromium.org, Nov 8 2016

Status: Fixed (was: Started)
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 8 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by awhalley@chromium.org, Nov 14 2016

Labels: reward-topanel

Comment 13 by awhalley@google.com, Nov 18 2016

Labels: -Type-Bug-Security -ReleaseBlock-Beta -reward-topanel Type-Bug
Changing to type Bug as the panel didn't this was exploitable
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 14 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment