Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 5 users
Status: Fixed
Owner:
Closed: Jan 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
svg
M-8

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
CSSCursorImageValue not clearing SVGElement back pointer
Reported by jan.toso...@gmail.com, Dec 13 2010 Back to list
Chrome Version       : 8.0.552.224
URLs (if applicable) : https://bug330638.bugzilla.mozilla.org/attachment.cgi?id=497286
Other browsers tested: FF4.0b7
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: -
  Firefox 3.x: Ok
       IE 7/8: N/A

What steps will reproduce the problem?
1. Open URL, 
2. Press the mouse button on green wheel
3. Move the mouse (rotate the wheel)
4. Release the mouse button
5. Pres the mouse button again

What is the expected result?
- rotating the wheel again

What happens instead?
- crash

Please provide any additional information below. Attach a screenshot if
possible.
- it seems to be regression as I encounter this problem after update from the previous version (8.0.552.215).
 
It is probably connected with the 'cursor' attribute. When the mouse pointer is changed via CSS (style="cursor: url('#hand...."), no crash is detected.
Labels: -Area-Undefined Area-WebKit Crash FeedbackRequested
Can you get a crash report id?
http://dev.chromium.org/for-testers/bug-reporting-guidelines/reporting-crash-bug
Sorry for that misleading title, actually it is not 'crash' of the app, but just failure of rendering the content. I see the 'Aw, Snap!' page with black background with the smiley icon and the link to this page: http://www.google.com/support/chrome/bin/answer.py?answer=95669 

Oops, I forgot to mention my environment: Win7/64bit
Labels: -FeedbackRequested OS-All SVG Crash-Reproducible
Status: Untriaged
http://crash/reportdetail?reportid=5177d9a97c7fa148

Thread 0 *CRASHED* ( SIGSEGV @ 0x00000000 )
0x01b8a9d9 	[chrome 	- third_party/WebKit/JavaScriptCore/wtf/HashTable.h:280] 	WTF::HashTable<WebCore::SVGElement*,WebCore::SVGElement*,WTF::IdentityExtractor<WebCore::SVGElement*>,WTF::PtrHash<WebCore::SVGElement*>,WTF::HashTraits<WebCore::SVGElement*>,WTF::HashTraits<WebCore::SVGElement*> >::find<WebCore::SVGElement*, WTF::IdentityHashTranslator<WebCore::SVGElement*, WebCore::SVGElement*, WTF::PtrHash<WebCore::SVGElement*> > >
0x01b8aa8e 	[chrome 	- third_party/WebKit/JavaScriptCore/wtf/HashTable.h:326] 	WebCore::CSSCursorImageValue::removeReferencedElement
0x01c4cad6 	[chrome 	- third_party/WebKit/WebCore/svg/SVGElement.cpp:220] 	WebCore::SVGElement::setCursorImageValue
0x01b8ba5d 	[chrome 	- third_party/WebKit/WebCore/css/CSSCursorImageValue.cpp:105] 	WebCore::CSSCursorImageValue::updateIfSVGCursorIsUsed
0x0183ebd6 	[chrome 	- third_party/WebKit/WebCore/css/CSSStyleSelector.cpp:3487] 	WebCore::CSSStyleSelector::applyProperty
0x0184448f 	[chrome 	- third_party/WebKit/WebCore/css/CSSStyleSelector.cpp:2902] 	WebCore::CSSStyleSelector::applyDeclarations<false>
0x01846753 	[chrome 	- third_party/WebKit/WebCore/css/CSSStyleSelector.cpp:1299] 	WebCore::CSSStyleSelector::styleForElement
0x0188a805 	[chrome 	- third_party/WebKit/WebCore/dom/Element.cpp:973] 	WebCore::Element::recalcStyle
0x0188aabe 	[chrome 	- third_party/WebKit/WebCore/dom/Element.cpp:1041] 	WebCore::Element::recalcStyle
0x0188aabe 	[chrome 	- third_party/WebKit/WebCore/dom/Element.cpp:1041] 	WebCore::Element::recalcStyle
0x01872f76 	[chrome 	- third_party/WebKit/WebCore/dom/Document.cpp:1574] 	WebCore::Document::recalcStyle
0x018678a1 	[chrome 	- third_party/WebKit/WebCore/dom/Document.cpp:1616] 	WebCore::Document::updateStyleIfNeeded
0x018966eb 	[chrome 	- third_party/WebKit/WebCore/dom/MouseRelatedEvent.cpp:152] 	WebCore::MouseRelatedEvent::receivedTarget
0x01b9ce3c 	[chrome 	- third_party/WebKit/WebCore/dom/EventContext.cpp:46] 	WebCore::EventContext::handleLocalEvents
0x018a1504 	[chrome 	- third_party/WebKit/WebCore/dom/Node.cpp:2619] 	WebCore::Node::dispatchGenericEvent
0x018a15dc 	[chrome 	- third_party/WebKit/WebCore/dom/Node.cpp:2561] 	WebCore::Node::dispatchEvent
0x018a0582 	[chrome 	- third_party/WebKit/WebCore/dom/Node.cpp:2815] 	WebCore::Node::dispatchMouseEvent
0x018a1857 	[chrome 	- third_party/WebKit/WebCore/dom/Node.cpp:2724] 	WebCore::Node::dispatchMouseEvent
0x01a1c258 	[chrome 	- third_party/WebKit/WebCore/page/EventHandler.cpp:1841] 	WebCore::EventHandler::dispatchMouseEvent
0x01a2401a 	[chrome 	- third_party/WebKit/WebCore/page/EventHandler.cpp:1569] 	WebCore::EventHandler::handleMouseReleaseEvent
0x01426e8c 	[chrome 	- third_party/WebKit/WebKit/chromium/src/WebViewImpl.cpp:542] 	WebKit::WebViewImpl::mouseUp
0x0142a7e4 	[chrome 	- third_party/WebKit/WebKit/chromium/src/WebViewImpl.cpp:1149] 	WebKit::WebViewImpl::handleInputEvent
0x00aba53c 	[chrome 	- chrome/renderer/render_widget.cc:334] 	RenderWidget::OnHandleInputEvent
0x00abb2e6 	[chrome 	- ./ipc/ipc_message.h:148] 	RenderWidget::OnMessageReceived
0x00aa730e 	[chrome 	- chrome/renderer/render_view.cc:1045] 	RenderView::OnMessageReceived
0x01d9e855 	[chrome 	- chrome/common/message_router.cc:46] 	MessageRouter::RouteMessage
0x00b8eda0 	[chrome 	- base/message_loop.cc:418] 	MessageLoop::RunTask
Labels: -Pri-2 Pri-1 Security Restrict-View-SecurityTeam
After loading the page, double clicking on the svg image crashes the renderer on windows.

This is with Google Chrome 10.0.612.1 (Official Build 69289)

Full report @ http://crash/reportdetail?reportid=577077dcdbca0215
Comment 7 by jsc...@chromium.org, Dec 17 2010
This is a lot like issue 64959, but the crash occurs with the fix applied. I'll take a look at it since I've been poking around in those code recently.
Comment 8 by jsc...@chromium.org, Dec 17 2010
Labels: SecSeverity-High
Okay, definite stale pointer. I either uncovered a bug or added a new one when I fixed bug 64959.
Comment 9 by jsc...@chromium.org, Dec 18 2010
Status: Started
Okay, I'm an idiot. This is due to a typo in my fix for bug 64959. I'll get a patch upstream this weekend. For anyone who wants a laugh, this is the fix (and the kicker is that I added both those methods):

Index: css/CSSCursorImageValue.cpp
===================================================================
--- css/CSSCursorImageValue.cpp (revision 74255)
+++ css/CSSCursorImageValue.cpp (working copy)
@@ -71,7 +71,7 @@

     for (; it != end; ++it) {
         SVGElement* referencedElement = *it;
-        referencedElement->cursorElementRemoved();
+        referencedElement->cursorImageElementRemoved();
         if (SVGCursorElement* cursorElement = resourceReferencedByCursorElement(url, referencedElement->document()))
             cursorElement->removeClient(referencedElement);
     }

 Issue 67377  has been merged into this issue.
Summary: CSSCursorImageValue not clearing SVGElement back pointer (was: NULL)
Reported upstream and patch up for review: https://bugs.webkit.org/show_bug.cgi?id=51417
Status: WillMerge
Patch landed upstream: http://trac.webkit.org/changeset/74574

Definitely want to merge this for the next stable update.
Labels: reward-topanel
merged to m8 in r75008, needs merging to m9.
Labels: -reward-topanel reward-500 reward-unpaid
@j.tosovsky@tiscali.cz: congratulations! This bug turned out to be a security issue, and as such it has provisionally qualified for a $500 Chromium Security Reward.
---
NOTE: normally we do not reward security bugs unless initially filed with the
security templaye. Sometimes we make an exception for the first time an individual
files a security bug as a non-security issues.
For full guidelines on filing security bugs, see:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs
---
----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
@j.tosovsky@tiscali.cz: if you like, we can credit you under a real / full name in our release notes and Hall of Fame.
Why not, my 5 minutes of fame :-)
Jan Tošovský (or Jan Tosovsky when a limited charset will be used)
Btw, thanks for that security reward! And that quick fix, of course.
Status: FixUnreleased
merged to m9 in r75426.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-8
@j.tosovsky@tiscali.cz: autoupdating to users already with http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html (8.0.552.237)

Thanks again! Now we pay you :D Please e-mail cevans@chromium.org to start that process.
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system.
Labels: -Crash bulkmove Stability-Crash
Chrome Version       : 8.0.552.224
URLs (if applicable) : https://bug330638.bugzilla.mozilla.org/attachment.cgi?id=497286
Other browsers tested: FF4.0b7
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: -
  Firefox 3.x: Ok
       IE 7/8: N/A

What steps will reproduce the problem?
1. Open URL, 
2. Press the mouse button on green wheel
3. Move the mouse (rotate the wheel)
4. Release the mouse button
5. Pres the mouse button again

What is the expected result?
- rotating the wheel again

What happens instead?
- crash

Please provide any additional information below. Attach a screenshot if
possible.
- it seems to be regression as I encounter this problem after update from the previous version (8.0.552.215).
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 27 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 28 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -SecSeverity-High -Mstone-8 -Type-Security -SecImpacts-Stable Cr-Content M-8 Security-Impact-Stable Type-Bug-Security Security-Severity-High
Project Member Comment 29 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 31 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 32 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 33 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 34 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment