New issue
Advanced search Search tips

Issue 740214 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jul 2017
Cc:
timloh@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Tab crashes when adding element with long color property

Reported by lysio...@gmail.com, Jul 7 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Open color-crash.html

What is the expected behavior?
No crash

What went wrong?
Tab crashes

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:
color-crash.html
367 bytes View Download

Comment 1 Deleted

Comment 2 by lysio...@gmail.com, Jul 7 2017 

When you set:
1. i = 0x4000 (line 10) then "Uncaught RangeError: Invalid string length at color-crash.html:12" can be seen.
2. i = 0x100  (line 10) then there is no problem at all.

Comment 3 by schenney@chromium.org, Jul 7 2017

Components: -Blink Blink>CSS
CSS parsing issue?

Comment 4 by manoranj...@chromium.org, Jul 7 2017

Labels: Needs-Triage-M59 Needs-Bisect
Able to reproduce this issue on Win7.

Comment 5 by jmukthavaram@chromium.org, Jul 10 2017

Labels: -Needs-Bisect -Needs-Triage-M59 M-59 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows 7,Mac 10.12.5 & Ubuntu 14.04 using latest chrome stable#59.0.3071.115 & Canary#61.0.3152.0 as per the provided html in comment#0.

Tab crashed upon opening the html file.

This is non regression issue observed from M45,hence marking it as Untriaged to get more inputs from dev.

Please find the attached screenshot for reference.
Thank you..!!
Crash.PNG
171 KB View Download

Comment 6 by rob.b...@samsung.com, Jul 10 2017

Cc: timloh@chromium.org
Seems like this is hitting an allocation limit:
[1:1:0710/110346.115988:1729119947146:FATAL:PartitionAllocator.h(37)] Check failed: count <= MaxElementCountInBackingStore<T>() (156590080 vs. 89478314)
#0 0x00000165d257 base::debug::StackTrace::StackTrace()
#1 0x0000016705dd logging::LogMessage::~LogMessage()
#2 0x000002918a2c WTF::PartitionAllocator::QuantizedSize<>()
#3 0x0000029540d1 WTF::Vector<>::ReserveCapacity()
#4 0x000002954052 WTF::Vector<>::AppendSlowCase<>()
#5 0x0000029521f1 blink::CSSTokenizer::CSSTokenizer()
#6 0x000002938814 blink::CSSParserImpl::ParseValue()
#7 0x000002933a51 blink::CSSParser::ParseValue()
#8 0x000002924407 blink::MutableStylePropertySet::SetProperty()
#9 0x00000291291a blink::AbstractPropertySetCSSStyleDeclaration::SetPropertyInternal()
#10 0x000003a3111b blink::V8CSSStyleDeclaration::namedPropertySetterCustom()
#11 0x0000026625ba blink::V8CSSStyleDeclaration::namedPropertySetterCallback()

Adding timloh since AFAIK he is still the CSSTokenizer expert.

Comment 7 by timloh@chromium.org, Jul 11 2017 

Is there any reason to handle this gracefully? What's the real-world use case for setting a color or whatnot to a string of 200 million characters?

Comment 8 by lysio...@gmail.com, Jul 11 2017 

Since that bug is a public one what about prevent trolling by script-kiddies? Anyway this bug could be used by anyone to do anything malicious to any Chrome/Chromium user.

Comment 9 by timloh@chromium.org, Jul 11 2017 

What in particular does "anything malicious" entail? Being able to OOM the renderer by executing JS doesn't seem productive to anyone.

Comment 10 by lysio...@gmail.com, Jul 11 2017 

Well honestly I don't know how this could be used by non-trolls. I filled a bug before someone smarter than I start using it widely with a more productive case than I showed here:)

Comment 11 by meade@chromium.org, Jul 12 2017

Status: WontFix (was: Untriaged)
I don't think this is something we're too worried about, but thanks for the report, lysiol41! Marking as WontFix accordingly.

Comment 12 by lysio...@gmail.com, Jul 12 2017 

Thanks:)

Sign in to add a comment