New issue
Advanced search Search tips

Issue 764367 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

heap-buffer-overflow-add_line and leads browser crash to aw,snap page

Reported by rooterka...@gmail.com, Sep 12 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Steps to reproduce the problem:
1.open chrome
2. OPen the file Attached 
3. it will crash the chrome and you can see the aw,snap Page

What is the expected behavior?
It should not crash.

What went wrong?
Attached file is causing heap overflow on browser but since i have office laptop i am not able to do further analysis.

While testing bug of firefox i am able to reproduce this issue on chrome 

I am noob in browser fuzzing. 

SO sorry if i bother you again. But i thought i should report it as it is reproducible 

Did this work before? N/A 

Chrome version: 60.0.3112.113  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 26.0 r0

I am noob in browser fuzzing. 

SO sorry if i bother you again. But i thought i should report it as it is reproducible and multiple failure can one day leads to success :)
 
Chrome_heap-buffer-overflow-add_line.html
431 bytes View Download
0f170029-a259-4250-b4cf-2716fa244a18.dmp
376 KB Download
3b65dc80-c678-41e2-98fe-b814788b6b42.dmp
952 KB Download
6a303be0-2196-491b-bd01-e49a578e0973.dmp
416 KB Download
Components: Blink>Canvas
Status: Untriaged (was: Unconfirmed)
Can you elaborate on why you believe this is a "heap overflow"-- it appears to be a simple memory exhaustion issue where canvas.getContext is called 200 times. 

crash/4067985ed1bfefa8 

Project Member

Comment 2 by ClusterFuzz, Sep 12 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6372224008454144.

Comment 3 by mea...@chromium.org, Sep 12 2017

Status: WontFix (was: Untriaged)
This indeed looks like an out of memory case. OOMs are not security bugs, as the renderer can crash controllably so I'm closing this as WontFix. Please do let us know if we are missing anything.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 20 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment