New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 770148 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Oct 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: UAF in CPWL_ComboBox::KillFocus

Reported by, Sep 29 2017

Issue description


void CPWL_ComboBox::KillFocus() {


void CPWL_ComboBox::SetPopup(bool bPopup) {
  if (!bPopup) {
    m_bPopup = bPopup;
    Move(m_rcOldWindow, true, true); <------ (1)

When it's trying to kill focus a combobox, it will invoke |CPWL_ComboBox::KillFocus| instead of |CPWL_Wnd::KillFocus|.

At (1) |Move| ends up calling |Form_Invalidate| which possible to run a script then trigger a UAF by destroying the widget's pdf window in the middle of KillFocus processing. Please see  bug 766957   bug 765921   bug 760455  for more explanation/details.

Please find attached PoC/asan/...

Chrome Version: 61.0.3163.100 (Official Build) (64-bit)
Operating System: OS X / Win / Linux

Open the pdf file, click on scrollbar which has textbox printing "a".
3.5 KB Download
4.3 KB Download
5.5 MB Download
This is PoC controlling register [rdx], right at instruction calling function pointer. 

along with backtrace full from gdb.
3.7 KB Download
4.5 KB Download
14.9 KB View Download
Screenshot from 2017-09-29 17-54-08.png
367 KB View Download
Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Security_Impact-Stable M-62 Pri-1
Status: Assigned (was: Unconfirmed)
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Started (was: Assigned)
Project Member

Comment 6 by, Oct 4 2017

The following revision refers to this bug:

commit 55469aed5acffcce3259d37418ba9e8b8e60d801
Author: Henrique Nakashima <>
Date: Wed Oct 04 16:02:44 2017

Fix UAF in SetVisible().

SetVisible() may be called during Destroy() which may be called
during SetVisible().

This fixes the latest in a family of bugs that happen after an
instance is freed by code triggered by JS code while it's executing
a method.

The CL has a lot of protection for many of these points where JS
may be executed and potentially destroy objects. The return types
of many methods that may execute JS have been changed to bool,
indicating whether the instance is still alive after the call.

Bug:  chromium:770148 
Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d
Reviewed-by: dsinclair <>
Commit-Queue: Henrique Nakashima <>


Status: Fixed (was: Started)
Project Member

Comment 8 by, Oct 5 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -Security_Severity-Medium Security_Severity-High

Comment 11 Deleted

Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Nice one! The VRP panel awarded $5,000 for this. Cheers!
Labels: -reward-unpaid reward-inprocess
Labels: -M-62 M-63
Project Member

Comment 16 by, Oct 27 2017

Labels: Merge-Request-63
Project Member

Comment 17 by, Oct 27 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot
+awhalley@ (Security TPM) for M63 merge review
govind@ good for 63 if commit in #6 isn't already there.
Labels: -Merge-Review-63
#6 is already in M63 branch (M63 was branched on Oct 12th). 
Labels: Release-0-M63
Labels: CVE-2017-15411
Project Member

Comment 23 by, Jan 11 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 24 by, Mar 27 2018

Labels: -M-63 M-65
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment