New issue
Advanced search Search tips

Issue 816877 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2018
Cc:
elawrence@chromium.org
kenrb@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Integer overflow in StyleElement:process by 32 megbyte in memory.

Reported by mishra.d...@gmail.com, Feb 27 2018 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
Hi Team, 

This was already submitted long back (I believe) but I can't find the upstream bug.

Steps to Reproduce:
1. Open PoC.html in 63.0.3239.132 (Official Build) (64-bit) (cohort: 64_186_win)
2. Chrome crashes

What is the expected behavior?

What went wrong?
My Local Crash ID :
0d133822-6282-44cf-9d0b-9c3b4b2a2440
0d133822-6282-44cf-9d0b-9c3b4b2a2440  

Request you to please look into this.

Did this work before? N/A 

Chrome version: 63.0.3239.132  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 28.0.0.137
PoC.html
1.2 KB View Download

Comment 1 by elawrence@chromium.org, Feb 27 2018

Labels: Needs-Feedback
Local Crash IDs are not useful, as they are, well, local. Can you please share the "Uploaded Crash Report ID" value that you find next to the local crash ID value, on chrome://crashes? Can you also point to where this was originally reported? 

Were you running this in 32bit Chrome or 64bit? Running out of memory is fairly likely with this repro file.

Comment 2 by mishra.d...@gmail.com, Feb 27 2018 

I have some restriction set by administrator, I think i wont be able to share Uploaded Crash ID, Apart from that I tried the same test case in my local desktop which is same version (Google Chrome	63.0.3239.132 (Official Build) (64-bit) (cohort: 64_186_win) but I was unable to get the crash in that rather than crash entire system goes for a DoS.
Policy.PNG
42.0 KB View Download
Video-PoC.avi
465 KB Download
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 27 2018

Cc: elawrence@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Feb 27 2018 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6462310286360576.

Comment 5 by kenrb@chromium.org, Feb 27 2018 

I'm fairly certain this is just memory exhaustion. The process is terminated but there is no crash report uploaded. On recent versions (Canary, trunk) it is a clean process shutdown without even the the Aw, Snap screen.

Comment 6 by kenrb@chromium.org, Feb 27 2018

Labels: Needs-Feedback
Cluster-Fuzz can't reproduce this. Is there any reason that you think this might be more than a renderer process kill for memory restrictions?

Comment 7 by mishra.d...@gmail.com, Feb 28 2018 

I think this is getting crash specific to my chrome profile. Agree with #c5 in other version of chrome the process is terminated.
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 28 2018

Cc: kenrb@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by kenrb@chromium.org, Feb 28 2018

Status: WontFix (was: Unconfirmed)
Closing this out because it doesn't seem like there is anything for us to do with this. The process termination is not unexpected.
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 6 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment