New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 7 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
M-9

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Playing audio with volume set to undefined crashes browser

Reported by matthew....@gmail.com, Dec 29 2010

Issue description

Chrome Version       : 10.0.612.3 (Official Build 69636) dev
OS Version: Mac OS X 10.6.5 Build 10H574

Other browsers tested:
     Safari 5: OK

What steps will reproduce the problem?
<!DOCTYPE html>
<html>
  <head>
    <title></title>
  </head>
  <body>
    <script>
      var audio = document.createElement('audio');
      document.body.appendChild(audio)
      audio.src = 'test.mp3';
      audio.volume = undefined;
      audio.play();
    </script>
  </body>
</html>


What is the expected result?
Audio should play with the volume set at 0.

What happens instead?
Browser crashes.
 

Comment 1 by mega...@gmail.com, Dec 29 2010

I confirm on the same Chrome version for Windows.

Here's my repro steps:

1) Navigate to file:///C:/Windows/Media/ding.wav or some other audio file somewhere.
2) Open dev tools and type document.getElementsByTagName("video")[0].volume = undefined;
3) Expression never finishes evaluating, browser crashes.
Labels: -Area-Undefined Area-Internals OS-Mac
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 29 2010

Labels: Verifier-Deepakg
Verified label updated by AutoAllocator, contact AmolK or KrisR for details
Labels: -Pri-2 -OS-Mac Pri-1 OS-All Feature-Media Crash Security Restrict-View-SecurityTeam
Status: Untriaged
Status: Assigned
Does not crash on 10.0.626.0 (70339). Venkat, can you trying rechecking if it does reproduce. can you please put in the stacktrace.
Yeah it seems to be fixed in 10.0.629.0.

[9823:25091:197579388124516:FATAL:/b/build/slave/chrome-official-mac/build/src/chrome/browser/renderer_host/audio_renderer_host.cc(371)] Check failed: volume >= 0 && volume <= 1.0. 
Bus error

This is what I got when running Chrome from the command line. Let me know if you need the Apple crash report or my client_id.
This CHECK will cause a browser crash, which is not exploitable but still bad to crash the entire browser for it. better to just bail out, can take a closer look tmrw. also will see who added this check.

If you have a crash id for the previous crash (exploitable one), please do let us know.
Labels: Mstone-8 SecSeverity-Low
crashes stable as well. fix upcoming. need to turn the check into a bail out.
Labels: -Restrict-View-SecurityTeam -Mstone-8 Restrict-View-SecurityNotify Mstone-9
Status: WillMerge
since secseverity low, better to pick up in m9.
Status: FixUnreleased
merged to m9 as 71083
 Issue 64228  has been merged into this issue.
Labels: -Crash bulkmove Stability-Crash
Chrome Version       : 10.0.612.3 (Official Build 69636) dev
OS Version: Mac OS X 10.6.5 Build 10H574

Other browsers tested:
     Safari 5: OK

What steps will reproduce the problem?
&lt;!DOCTYPE html&gt;
&lt;html&gt;
  &lt;head&gt;
    &lt;title&gt;&lt;/title&gt;
  &lt;/head&gt;
  &lt;body&gt;
    &lt;script&gt;
      var audio = document.createElement('audio');
      document.body.appendChild(audio)
      audio.src = 'test.mp3';
      audio.volume = undefined;
      audio.play();
    &lt;/script&gt;
  &lt;/body&gt;
&lt;/html&gt;


What is the expected result?
Audio should play with the volume set at 0.

What happens instead?
Browser crashes.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed

Comment 18 Deleted

Project Member

Comment 19 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Feature-Media -Mstone-9 -SecSeverity-Low -Type-Security -SecImpacts-Stable Security-Severity-Low Cr-Internals-Media M-9 Security-Impact-Stable Cr-Internals Type-Bug-Security
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment