Issue 724866 link

Starred by 1 user

Issue metadata

Status:	Untriaged
Owner:	----
Cc:	█ hdodda@chromium.org schenney@chromium.org
Components:	Internals>Preload
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug
Stability-Crash Arch-x86_64 Via-Wizard-Crashes BugSource-User PaintTeamTriaged-20170522

SVG loaded as img crashes via link rel=next and prerender

Reported by thisisfo...@gmail.com, May 21 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
1. Load the following html file. Please note, that prerender is included but inside a comment. 
The reason being is, that "next" as well as "prerender" crash the chrome render. Additionally the payload uses data: so I don't need to provide a link to an external file
but the PoC also works with a standard http/https url.

Tested and verified via: 
Version 60.0.3104.0 (Offizieller Build) canary (64-Bit) on Windows 7

<img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzdmcgaWQ9Im15c3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgd2lkdGg9IjEyMCIgaGVpZ2h0PSIyNDAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPGZvcmVpZ25PYmplY3Qgd2lkdGg9IjU2MCIgaGVpZ2h0PSIzNDkiPgo8aGVhZCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+CjxsaW5rIHJlbD0ibmV4dCIgaHJlZj0id2hhdGV2ZXIiIC8+CjwhLS0KPGxpbmsgcmVsPSJwcmVyZW5kZXIiIGhyZWY9IndoYXRldmVyIiAvPgotLT4KPC9oZWFkPgo8L2ZvcmVpZ25PYmplY3Q+Cjwvc3ZnPg==">

Decoded Payload:
<?xml version="1.0"?>
<svg id="mysvg" xmlns:xlink="http://www.w3.org/1999/xlink" width="120" height="240" version="1.1" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="560" height="349">
<head xmlns="http://www.w3.org/1999/xhtml">
<link rel="next" href="whatever" />
<!-- 
<link rel="prerender" href="whatever" />
-->
</head>
</foreignObject>
</svg>

This HTML file triggers a near null pointer exception in the chrome  renderer process.

What is the expected behavior?
The SVG should be rendered inside the img tag without any requests nor crashes. 

What went wrong?
The renderer seems to have a problem with SVG + xHTML rendered via an img tag. It must be noted that the standalone SVG file does not lead to a crash, only when it is loaded in an image context. 

Crashed report ID: a71f42b2-408c-4adc-b40a-8d40cdca81ad and f420d41d-1575-44c4-9998-19c485b9b7e8

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

If any additional information are necessary I am happy to provide them. It must be noted that I basically tried all available tags, which could trigger a request (based on the project HTTP Leaks). 

best regards,
insertscript

Comment 1 by nyerramilli@chromium.org, May 22 2017

Components: Blink>SVG Blink
Labels: Needs-Triage-M58

Comment 2 by hdodda@chromium.org, May 22 2017

Cc: hdodda@chromium.org
Labels: Needs-Feedback

Tested the issue on windows 7 using chrome M58 #58.0.3029.110 and followed below steps :

1. Pasted the given html code in a file and opened it in chrome and chrome resulted in aw snap!

2. Removed the comments in given code and ran it in chrome and still resulted in aw snap..

Firefox browser behavior is also attached in screencast.

@thisisformyblog222-- Could you please provide us the expected result screencast and also confirm us if this had worked earlier and also confirm us if we had missed any steps in reproducing the issue.

Thanks!

	724866.mp4 5.2 MB View Download

Comment 3 by thisisfo...@gmail.com, May 22 2017

Ah sorry, I should have explained it better.
Just check the two attached HTML files. In Firefox you will see a circle but chrome will crash

crash1.html
504 bytes View Download

crash2.html
500 bytes View Download

Project Member

Comment 4 by sheriffbot@chromium.org, May 22 2017

Labels: -Needs-Feedback

Thank you for providing more feedback. Adding requester "hdodda@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by schenney@chromium.org, May 22 2017

Components: -Blink
Labels: -Needs-Triage-M58 BugSource-User PaintTeamTriaged-20170522
Owner: schenney@chromium.org
Status: Assigned (was: Unconfirmed)

I'll get the stack and re-assign.

Comment 6 by schenney@chromium.org, May 31 2017

Cc: schenney@chromium.org
Components: -Blink>SVG Internals>Preload
Labels: -Pri-2 Pri-1
Owner: ----
Status: Untriaged (was: Assigned)

The crash is in the preload code due to missing extra data. Changing bug component and marking Untriaged.

out/DebugGN/chrome ~/Downloads/crash2.html
[16593:16593:0531/135806.796131:INFO:easy_unlock_service_regular.cc(446)] Initializing EasyUnlockService inside the user session.
[16593:16593:0531/135807.666942:INFO:CONSOLE(93)] "Set up extension URL router.", source: chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/extension-router.js (93)
[1:1:0531/135813.675708:FATAL:prerender_extra_data.cc(26)] Check failed: prerender.GetExtraData(). 
#0 0x7f68ef21dc1b base::debug::StackTrace::StackTrace()
#1 0x7f68ef21c91c base::debug::StackTrace::StackTrace()
#2 0x7f68ef2904c3 logging::LogMessage::~LogMessage()
#3 0x564cd200bab9 prerender::PrerenderExtraData::FromPrerender()
#4 0x564cd2007b10 prerender::PrerenderDispatcher::Add()
#5 0x7f68db78fbc5 blink::Prerender::Add()
#6 0x7f68de0e2393 blink::PrerenderHandle::Create()
#7 0x7f68de09766d blink::LinkLoader::LoadLink()
#8 0x7f68dd9c0163 blink::HTMLLinkElement::LoadLink()
#9 0x7f68dda47a83 blink::LinkStyle::Process()
#10 0x7f68dd9bff01 blink::HTMLLinkElement::Process()
#11 0x7f68dd9c08a8 blink::HTMLLinkElement::InsertedInto()
#12 0x7f68dd3d4b9a blink::ContainerNode::NotifyNodeInsertedInternal()
#13 0x7f68dd3d3485 blink::ContainerNode::NotifyNodeInserted()
#14 0x7f68dd3d14c2 blink::ContainerNode::ParserAppendChild()
#15 0x7f68de45e535 blink::XMLDocumentParser::StartElementNs()
#16 0x7f68de4603c6 blink::StartElementNsHandler()
#17 0x7f68ded083fa xmlParseStartTag2
#18 0x7f68ded0c9f6 xmlParseTryOrFinish
#19 0x7f68ded0bacf xmlParseChunk
#20 0x7f68de45e0d5 blink::ParseChunk()
#21 0x7f68de45b473 blink::XMLDocumentParser::DoWrite()
#22 0x7f68de45b161 blink::XMLDocumentParser::Append()
#23 0x7f68dd404766 blink::DecodedDataDocumentParser::UpdateDocument()
#24 0x7f68dd4046cb blink::DecodedDataDocumentParser::AppendBytes()
#25 0x7f68de0797b7 blink::DocumentWriter::AddData()
#26 0x7f68de062690 blink::DocumentLoader::CommitData()
#27 0x7f68de064ae2 blink::DocumentLoader::ProcessData()
#28 0x7f68de064984 blink::DocumentLoader::DataReceived()
#29 0x7f68dbe10f24 blink::RawResource::DidAddClient()
#30 0x7f68dbe1af9b blink::Resource::AddClient()
#31 0x7f68de0655c6 blink::DocumentLoader::StartLoadingMainResource()
#32 0x7f68de0885f8 blink::FrameLoader::StartLoad()
#33 0x7f68de087777 blink::FrameLoader::Load()
#34 0x7f68de3a6649 blink::SVGImage::DataChanged()
#35 0x7f68db995344 blink::Image::SetData()
#36 0x7f68de0f1109 blink::ImageResourceContent::UpdateImage()
#37 0x7f68de0ea3fb blink::ImageResource::UpdateImage()
#38 0x7f68de0eb031 blink::ImageResource::Finish()
#39 0x7f68dbe3053c blink::Resource::Finish()
#40 0x7f68dbe26347 blink::ResourceFetcher::ResourceForStaticData()
#41 0x7f68dbe29087 blink::ResourceFetcher::RequestResource()
#42 0x7f68de0e970d blink::ImageResource::Fetch()
#43 0x7f68de0eed1d blink::ImageResourceContent::Fetch()
#44 0x7f68de08fe01 blink::ImageLoader::DoUpdateFromElement()
#45 0x7f68de092c7f blink::ImageLoader::Task::Run()
#46 0x7f68de093927 _ZN4base8internal13FunctorTraitsIMN5blink11ImageLoader4TaskEFvvEvE6InvokeISt10unique_ptrIS4_St14default_deleteIS4_EEJEEEvS6_OT_DpOT0_
#47 0x7f68de093831 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN5blink11ImageLoader4TaskEFvvEJSt10unique_ptrIS6_St14default_deleteIS6_EEEEEvOT_DpOT0_
#48 0x7f68de0937c7 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink11ImageLoader4TaskEFvvEJN3WTF13PassedWrapperISt10unique_ptrIS5_St14default_deleteIS5_EEEEEEEFvvEE7RunImplIRKS7_RKSt5tupleIJSE_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#49 0x7f68de09370c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink11ImageLoader4TaskEFvvEJN3WTF13PassedWrapperISt10unique_ptrIS5_St14default_deleteIS5_EEEEEEEFvvEE3RunEPNS0_13BindStateBaseE
#50 0x7f68db79e1fd _ZNKR4base8CallbackIFvvELNS_8internal8CopyModeE1ELNS2_10RepeatModeE1EE3RunEv
#51 0x7f68db79e5b9 WTF::Function<>::operator()()
#52 0x7f68db7fee85 blink::MicrotaskFunctionCallback()
#53 0x7f68dfffadd8 v8::internal::Isolate::RunMicrotasksInternal()
#54 0x7f68dfff94a9 v8::internal::Isolate::RunMicrotasks()
#55 0x7f68db7fedec blink::Microtask::PerformCheckpoint()
#56 0x7f68dd4236b6 blink::Document::FinishedParsing()
#57 0x7f68ddafd003 blink::HTMLConstructionSite::FinishedParsing()
#58 0x7f68ddb71027 blink::HTMLTreeBuilder::Finished()
#59 0x7f68ddb0d5c6 blink::HTMLDocumentParser::end()
#60 0x7f68ddb0713f blink::HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd()
#61 0x7f68ddb06e5d blink::HTMLDocumentParser::PrepareToStopParsing()

Received signal 6
#0 0x7f68ef21dc1b base::debug::StackTrace::StackTrace()
#1 0x7f68ef21c91c base::debug::StackTrace::StackTrace()
#2 0x7f68ef21d72f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f68ef761330 <unknown>
#4 0x7f68d5759c37 gsignal
#5 0x7f68d575d028 abort
#6 0x7f68ef21a916 base::debug::(anonymous namespace)::DebugBreak()
#7 0x7f68ef21a8f8 base::debug::BreakDebugger()
#8 0x7f68ef290944 logging::LogMessage::~LogMessage()
#9 0x564cd200bab9 prerender::PrerenderExtraData::FromPrerender()
#10 0x564cd2007b10 prerender::PrerenderDispatcher::Add()
#11 0x7f68db78fbc5 blink::Prerender::Add()
#12 0x7f68de0e2393 blink::PrerenderHandle::Create()
#13 0x7f68de09766d blink::LinkLoader::LoadLink()
#14 0x7f68dd9c0163 blink::HTMLLinkElement::LoadLink()
#15 0x7f68dda47a83 blink::LinkStyle::Process()
#16 0x7f68dd9bff01 blink::HTMLLinkElement::Process()
#17 0x7f68dd9c08a8 blink::HTMLLinkElement::InsertedInto()
#18 0x7f68dd3d4b9a blink::ContainerNode::NotifyNodeInsertedInternal()
#19 0x7f68dd3d3485 blink::ContainerNode::NotifyNodeInserted()
#20 0x7f68dd3d14c2 blink::ContainerNode::ParserAppendChild()
#21 0x7f68de45e535 blink::XMLDocumentParser::StartElementNs()
#22 0x7f68de4603c6 blink::StartElementNsHandler()
#23 0x7f68ded083fa xmlParseStartTag2
#24 0x7f68ded0c9f6 xmlParseTryOrFinish
#25 0x7f68ded0bacf xmlParseChunk
#26 0x7f68de45e0d5 blink::ParseChunk()
#27 0x7f68de45b473 blink::XMLDocumentParser::DoWrite()
#28 0x7f68de45b161 blink::XMLDocumentParser::Append()
#29 0x7f68dd404766 blink::DecodedDataDocumentParser::UpdateDocument()
#30 0x7f68dd4046cb blink::DecodedDataDocumentParser::AppendBytes()
#31 0x7f68de0797b7 blink::DocumentWriter::AddData()
#32 0x7f68de062690 blink::DocumentLoader::CommitData()
#33 0x7f68de064ae2 blink::DocumentLoader::ProcessData()
#34 0x7f68de064984 blink::DocumentLoader::DataReceived()
#35 0x7f68dbe10f24 blink::RawResource::DidAddClient()
#36 0x7f68dbe1af9b blink::Resource::AddClient()
#37 0x7f68de0655c6 blink::DocumentLoader::StartLoadingMainResource()
#38 0x7f68de0885f8 blink::FrameLoader::StartLoad()
#39 0x7f68de087777 blink::FrameLoader::Load()
#40 0x7f68de3a6649 blink::SVGImage::DataChanged()
#41 0x7f68db995344 blink::Image::SetData()
#42 0x7f68de0f1109 blink::ImageResourceContent::UpdateImage()
#43 0x7f68de0ea3fb blink::ImageResource::UpdateImage()
#44 0x7f68de0eb031 blink::ImageResource::Finish()
#45 0x7f68dbe3053c blink::Resource::Finish()
#46 0x7f68dbe26347 blink::ResourceFetcher::ResourceForStaticData()
#47 0x7f68dbe29087 blink::ResourceFetcher::RequestResource()
#48 0x7f68de0e970d blink::ImageResource::Fetch()
#49 0x7f68de0eed1d blink::ImageResourceContent::Fetch()
#50 0x7f68de08fe01 blink::ImageLoader::DoUpdateFromElement()
#51 0x7f68de092c7f blink::ImageLoader::Task::Run()
#52 0x7f68de093927 _ZN4base8internal13FunctorTraitsIMN5blink11ImageLoader4TaskEFvvEvE6InvokeISt10unique_ptrIS4_St14default_deleteIS4_EEJEEEvS6_OT_DpOT0_
#53 0x7f68de093831 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN5blink11ImageLoader4TaskEFvvEJSt10unique_ptrIS6_St14default_deleteIS6_EEEEEvOT_DpOT0_
#54 0x7f68de0937c7 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink11ImageLoader4TaskEFvvEJN3WTF13PassedWrapperISt10unique_ptrIS5_St14default_deleteIS5_EEEEEEEFvvEE7RunImplIRKS7_RKSt5tupleIJSE_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#55 0x7f68de09370c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink11ImageLoader4TaskEFvvEJN3WTF13PassedWrapperISt10unique_ptrIS5_St14default_deleteIS5_EEEEEEEFvvEE3RunEPNS0_13BindStateBaseE
#56 0x7f68db79e1fd _ZNKR4base8CallbackIFvvELNS_8internal8CopyModeE1ELNS2_10RepeatModeE1EE3RunEv
#57 0x7f68db79e5b9 WTF::Function<>::operator()()
#58 0x7f68db7fee85 blink::MicrotaskFunctionCallback()
#59 0x7f68dfffadd8 v8::internal::Isolate::RunMicrotasksInternal()
#60 0x7f68dfff94a9 v8::internal::Isolate::RunMicrotasks()
#61 0x7f68db7fedec blink::Microtask::PerformCheckpoint()
  r8: fffffffffffffed8  r9: fffffffffffffec8 r10: 0000000000000008 r11: 0000000000000202
 r12: 00003885dcb16020 r13: 0000000000000017 r14: 0000000000000000 r15: 0000000000000000
  di: 0000000000000001  si: 0000000000000001  bp: 00007ffc94f74470  bx: 00007ffc94f75548
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007f68d5759c37  sp: 00007ffc94f74338
  ip: 00007f68d5759c37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

►

Issue 724866 link

Issue metadata

SVG loaded as img crashes via link rel=next and prerender

Issue description

Comment 1 by nyerramilli@chromium.org, May 22 2017

Comment 1 Deleted

Comment 2 by hdodda@chromium.org, May 22 2017

Comment 2 Deleted

Comment 3 by thisisfo...@gmail.com, May 22 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, May 22 2017

Comment 4 Deleted

Comment 5 by schenney@chromium.org, May 22 2017

Comment 5 Deleted

Comment 6 by schenney@chromium.org, May 31 2017

Comment 6 Deleted

Sign in to add a comment