Issue metadata
Sign in to add a comment
|
Iframe print UaF
Reported by
wadih.ma...@gmail.com,
May 26 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: 1. open http://localhost/poc.html 2. crash What is the expected behavior? Print should occur normally What went wrong? The iframe that triggered the print is removed during the print: PrintWebViewHelper::PrintPageInternal works on a freed frame => UaF (see stacktrace.txt) Did this work before? N/A Chrome version: 58.0.3029.110 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version:
,
May 26 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6319967489490944
,
May 26 2017
Thanks for the report, I have confirmed this locally on Stable, and it does look like a UaF. I'm checking if ClusterFuzz can give more details before triaging.
,
May 26 2017
I thought I had reproduced this on trunk but on closer look, I was just hitting a DCHECK (for a debug build). A release build has no crash. It looks like this was fixed last month, but hasn't percolated to Stable yet. Beta channel has the fix already.
,
Sep 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 26 2017