New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Browser crash/segfault when selecting very long option in select

Reported by miau...@gmail.com, Feb 14 2011

Issue description



VULNERABILITY DETAILS
the segfault address is constant per browser version for a given string, changing the length of the string changes the segfault address.

VERSION
Chromium 11.0.670.0 (Developer Build 74745) Ubuntu 10.10
Linux x86_64 2.6.35-26-generic


REPRODUCTION CASE
attached

the longer one on atleast one computer kills the browser too with error:


[20711:20711:240041724115:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15690, error_code 11 (BadAlloc (insufficient resources for operation)), request_code 53 minor_code 0 (X_CreatePixmap)
[20711:20711:240041724664:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15692, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 55 minor_code 0 (X_CreateGC)
[20711:20711:240041724680:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15693, error_code 13 (BadGC (invalid GC parameter)), request_code 62 minor_code 0 (X_CopyArea)
[20711:20711:240041727828:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15691, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 153 minor_code 4 (RenderCreatePicture)
chromium-browser: ../../src/xcb_io.c:183: process_responses: Assertion `!(req && current_request && !(((long) (req->sequence) - (long) (current_request)) <= 0))' failed.
zsh: abort (core dumped)  chromium-browser


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab, sometimes browser
Crash State: 
=> 0x00007ffff5a78744 <+244>:	mov    (%rcx),%edx
rcx            0xa2904	665860

#0  SkARGB32_Opaque_Blitter::blitMask (this=<value optimized out>, mask=..., clip=<value optimized out>)
    at third_party/skia/src/core/SkBlitter_ARGB32.cpp:273
#1  0x00007ffff5a3d00b in D1G_NoBounder_RectClip (state=..., fx=<value optimized out>, 
    fy=<value optimized out>, glyph=<value optimized out>) at third_party/skia/src/core/SkDraw.cpp:1349
#2  0x00007ffff5a3e198 in SkDraw::drawPosText
 
craash.html
7.2 KB View Download
minier.html
5.9 KB View Download
Does not seem to reproduce in Windows. I think it's likely because of the size of the "popup" that shows the content of the option: this must get rendered by the browser, as it runs outside the page. That would explain why it can crash the browser process.

Comment 2 by jsc...@chromium.org, Feb 14 2011

@tsepez - Would you mind taking a look? This appears to be linux-specific (or at least not windows).

Comment 3 by tsepez@chromium.org, Feb 14 2011

Didn't repro on 11.0.663 - syncing ... may be dependent on display size?
Labels: -Area-Undefined Area-Internals Crash Regression Mstone-11
Status: Untriaged
Summary: Browser crash/segfault when selecting very long option in select
I can repro this with 10.0.668.0. Looks like we regressed recently. Chrome 9.0 and 10.0 seems to be fine.

Stack Trace
------------
Thread 0 *CRASHED* ( SIGABRT @ 0xdf1e00000902 )

0x7fe1f7492a75	 [libc-2.11.1.so	 - ../nptl/sysdeps/unix/sysv/linux/raise.c:64]	raise
0x7fe1f74965bf	 [libc-2.11.1.so	 - abort.c:92]	abort
0x7fe1f748b940	 [libc-2.11.1.so	 - assert.c:81]	__assert_fail
0x7fe1fd270393	 [libX11.so.6.3.0	 - ../../src/xcb_io.c:183]	process_responses
0x7fe1fd2708ef	 [libX11.so.6.3.0	 - ../../src/xcb_io.c:464]	_XReply
0x7fe1fd25df4f	 [libX11.so.6.3.0	 - ../../src/QuPntr.c:50]	XQueryPointer
0x7fe1fbf9949d	 [libgdk-x11-2.0.so.0.2000.1	 - gdkwindow-x11.c:3247]	_gdk_windowing_window_at_pointer
0x7fe1fbf4bab5	 [libgdk-x11-2.0.so.0.2000.1	 - gdkdisplay.c:919]	switch_to_pointer_grab
0x7fe1fbf4bc62	 [libgdk-x11-2.0.so.0.2000.1	 - gdkdisplay.c:1082]	_gdk_display_pointer_grab_update
0x7fe1fbf6bedb	 [libgdk-x11-2.0.so.0.2000.1	 - gdkwindow.c:10370]	_gdk_windowing_got_event
0x7fe1fbf87412	 [libgdk-x11-2.0.so.0.2000.1	 - gdkevents-x11.c:2308]	_gdk_events_queue
0x7fe1fbf8783d	 [libgdk-x11-2.0.so.0.2000.1	 - gdkevents-x11.c:2366]	gdk_event_dispatch
0x7fe1faf488c1	 [libglib-2.0.so.0.2400.1	 + 0x0003e8c1]	
0x7fe1fbf8781f	 [libgdk-x11-2.0.so.0.2000.1	 + 0x0005c81f]	
0x7fe1faf5964f	 [libglib-2.0.so.0.2400.1	 + 0x0004f64f]	
0x7fe1faf4c747	 [libglib-2.0.so.0.2400.1	 + 0x00042747]	
0x7fe1fa1323bf	 [libpthread-2.11.1.so	 + 0x000093bf]	
0x7fe1faf4c8fb	 [libglib-2.0.so.0.2400.1	 + 0x000428fb]	
0x00c25fbe	 [chrome	 - base/message_pump_glib.cc:236]	base::MessagePumpForUI::RunOnce
0x00c25c22	 [chrome	 - base/message_pump_glib.cc:210]	base::MessagePumpForUI::RunWithDispatcher
0x00bfbe46	 [chrome	 - base/message_loop.cc:679]	MessageLoopForUI::Run
0x00438824	 [chrome	 - chrome/browser/browser_main.cc:563]	BrowserMain
0x00430f0b	 [chrome	 - chrome/app/chrome_main.cc:950]	ChromeMain
0x004318e2	 [chrome	 - chrome/app/chrome_exe_main_gtk.cc:49]	main
0x7fe1f747dc4c	 [libc-2.11.1.so	 - libc-start.c:226]	__libc_start_main
0x00430018	 [chrome	 + 0x00030018]

Full report @ http://crash/reportdetail?reportid=8728fd9a563e1781
Labels: OS-Linux

Comment 6 by tsepez@chromium.org, Feb 14 2011

Exactly.  Repros on 11.0.672.

[13411:13411:931270906356:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 6233, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 152 minor_code 4 (RenderCreatePicture)
chrome: ../../src/xcb_io.c:183: process_responses: Assertion `!(req && current_request && !(((long) (req->sequence) - (long) (current_request)) <= 0))' failed.
Aborted

Labels: SecSeverity-High
Labels: -SecSeverity-High SecSeverity-Low

Comment 9 by tsepez@chromium.org, Feb 15 2011

Starting with the first error, the BadAlloc for XPixmapCreate, tracing this call shows that prior to the failure, there is an earlier call for a pixmap of (40820 x 18) pixels on top of a call in render_widget_host_view_gtk.cc.   As it turns out, a
check of the history of this file shows it was modified by 
http://codereview.chromium.org/6462017 at r74534.

bisect-builds.py identifies this revision as the one that broke.

Assigning to author of that change for investigation.

Labels: -Pri-0 Pri-1

Comment 12 by derat@chromium.org, Feb 21 2011

Status: Assigned
Sure, I'll take a look at this tomorrow.

Comment 13 by derat@chromium.org, Feb 22 2011

Status: Started

Comment 14 by derat@chromium.org, Feb 23 2011

Status: Fixed
http://codereview.chromium.org/6469097/
Project Member

Comment 15 by bugdroid1@chromium.org, Feb 23 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=75673

------------------------------------------------------------------------
r75673 | derat@chromium.org | Tue Feb 22 16:19:25 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_gtk.cc?r1=75673&r2=75672&pathrev=75673

linux: Constrain popup window size correctly.

Fixes a regression that I introduced while refactoring some
code in r74534.  We were limiting the size passed to GTK+ for
very large popup windows but storing the unconstrained size
internally.

BUG= 72910 
TEST=manual with test case from bug

Review URL: http://codereview.chromium.org/6469097
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Regression bulkmove Type-Regression
VULNERABILITY DETAILS
the segfault address is constant per browser version for a given string, changing the length of the string changes the segfault address.

VERSION
Chromium 11.0.670.0 (Developer Build 74745) Ubuntu 10.10
Linux x86_64 2.6.35-26-generic


REPRODUCTION CASE
attached

the longer one on atleast one computer kills the browser too with error:


[20711:20711:240041724115:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15690, error_code 11 (BadAlloc (insufficient resources for operation)), request_code 53 minor_code 0 (X_CreatePixmap)
[20711:20711:240041724664:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15692, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 55 minor_code 0 (X_CreateGC)
[20711:20711:240041724680:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15693, error_code 13 (BadGC (invalid GC parameter)), request_code 62 minor_code 0 (X_CopyArea)
[20711:20711:240041727828:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15691, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 153 minor_code 4 (RenderCreatePicture)
chromium-browser: ../../src/xcb_io.c:183: process_responses: Assertion `!(req &amp;&amp; current_request &amp;&amp; !(((long) (req-&gt;sequence) - (long) (current_request)) &lt;= 0))' failed.
zsh: abort (core dumped)  chromium-browser


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab, sometimes browser
Crash State: 
=&gt; 0x00007ffff5a78744 &lt;+244&gt;:	mov    (%rcx),%edx
rcx            0xa2904	665860

#0  SkARGB32_Opaque_Blitter::blitMask (this=&lt;value optimized out&gt;, mask=..., clip=&lt;value optimized out&gt;)
    at third_party/skia/src/core/SkBlitter_ARGB32.cpp:273
#1  0x00007ffff5a3d00b in D1G_NoBounder_RectClip (state=..., fx=&lt;value optimized out&gt;, 
    fy=&lt;value optimized out&gt;, glyph=&lt;value optimized out&gt;) at third_party/skia/src/core/SkDraw.cpp:1349
#2  0x00007ffff5a3e198 in SkDraw::drawPosText
Labels: -Crash Stability-Crash
VULNERABILITY DETAILS
the segfault address is constant per browser version for a given string, changing the length of the string changes the segfault address.

VERSION
Chromium 11.0.670.0 (Developer Build 74745) Ubuntu 10.10
Linux x86_64 2.6.35-26-generic


REPRODUCTION CASE
attached

the longer one on atleast one computer kills the browser too with error:


[20711:20711:240041724115:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15690, error_code 11 (BadAlloc (insufficient resources for operation)), request_code 53 minor_code 0 (X_CreatePixmap)
[20711:20711:240041724664:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15692, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 55 minor_code 0 (X_CreateGC)
[20711:20711:240041724680:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15693, error_code 13 (BadGC (invalid GC parameter)), request_code 62 minor_code 0 (X_CopyArea)
[20711:20711:240041727828:ERROR:browser_main_gtk.cc(39)] X Error detected: serial 15691, error_code 9 (BadDrawable (invalid Pixmap or Window parameter)), request_code 153 minor_code 4 (RenderCreatePicture)
chromium-browser: ../../src/xcb_io.c:183: process_responses: Assertion `!(req &amp;&amp; current_request &amp;&amp; !(((long) (req-&gt;sequence) - (long) (current_request)) &lt;= 0))' failed.
zsh: abort (core dumped)  chromium-browser


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab, sometimes browser
Crash State: 
=&gt; 0x00007ffff5a78744 &lt;+244&gt;:	mov    (%rcx),%edx
rcx            0xa2904	665860

#0  SkARGB32_Opaque_Blitter::blitMask (this=&lt;value optimized out&gt;, mask=..., clip=&lt;value optimized out&gt;)
    at third_party/skia/src/core/SkBlitter_ARGB32.cpp:273
#1  0x00007ffff5a3d00b in D1G_NoBounder_RectClip (state=..., fx=&lt;value optimized out&gt;, 
    fy=&lt;value optimized out&gt;, glyph=&lt;value optimized out&gt;) at third_party/skia/src/core/SkDraw.cpp:1349
#2  0x00007ffff5a3e198 in SkDraw::drawPosText
Labels: Type-Security
Labels: CVE-2011-1436
Status: FixUnreleased
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 24 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 25 by bugdroid1@chromium.org, Feb 8 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=181430

------------------------------------------------------------------------
r181430 | rouslan@chromium.org | 2013-02-08T05:21:35.620989Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/single_client_dictionary_sync_test.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/chrome_switches.h?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/chrome_tests.gypi?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/spellchecker/spellcheck_service.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/dictionary_helper.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/profile_sync_components_factory_impl_unittest.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/dictionary_helper.h?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/profile_sync_components_factory_impl.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/two_client_dictionary_sync_test.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/about_flags.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/multiple_client_dictionary_sync_test.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/sync/test/integration/performance/dictionary_sync_perf_test.cc?r1=181430&r2=181429&pathrev=181430
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/chrome_switches.cc?r1=181430&r2=181429&pathrev=181430

Enable dictionary sync by default

This CL enables dictionary sync by default on all platforms except Android and
Mac, which do not use the Chrome custom spelling dictionary file.

BUG= 72910 


Review URL: https://chromiumcodereview.appspot.com/12096116
------------------------------------------------------------------------
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Mstone-11 -SecSeverity-Low -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable Cr-Internals M-11 Type-Bug-Security
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment