New issue
Advanced search Search tips

Issue 917890 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 11
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug



Sign in to add a comment

Crash in chrome_child!blink::PictureInPictureControllerImpl::OnEnteredPictureInPicture

Reported by pa...@blackowlsec.com, Dec 26

Issue description

VULNERABILITY DETAILS
Read AV in chrome_child!blink::PictureInPictureControllerImpl::OnEnteredPictureInPicture

https://chromium.googlesource.com/chromium/src.git/+/71.0.3578.98/third_party/blink/renderer/modules/picture_in_picture/picture_in_picture_controller_impl.cc line @ 132

The bug triggers when a video element that is currently used in PictureInPicture functionality is removed by overwriting html body content, and after that we try to run the load() method on that removed element.

VERSION
Chrome Version: 71.0.3578.98 stable 32bit
Operating System: [Win 10 x64]

REPRODUCTION CASE

Minimized testcase and windbg log attached
 
cm_pip.html
466 bytes View Download
webm.webm
361 KB View Download
cm_pip_windbg.txt
6.1 KB View Download
Project Member

Comment 1 by ClusterFuzz, Dec 26

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5756848992681984.
Cc: mlamouri@chromium.org
Components: Blink>Media>PictureInPicture
Labels: Security_Severity-High Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: beaufort...@gmail.com
Thanks for the report! Marking this high severity and passing along to PictureInPicture experts.

Can you reproduce this, and let me know if PiP is enabled by default, and whether all of the select OS's enable PiP by default?
Project Member

Comment 3 by ClusterFuzz, Dec 26

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5672042044850176.
Cc: mpdenton@chromium.org
Project Member

Comment 5 by ClusterFuzz, Dec 26

Testcase 5756848992681984 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5756848992681984.
Project Member

Comment 6 by ClusterFuzz, Dec 26

Testcase 5672042044850176 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5672042044850176.
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 27

Labels: Target-71 M-71
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 27

Labels: Pri-1
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 27

Status: Assigned (was: Unconfirmed)
Cc: beaufort...@gmail.com
Owner: fbeaufort@chromium.org
I think I've found the root issue. element->GetWebMediaPlayer() is NULL at

 element->GetWebMediaPlayer()->RegisterPictureInPictureWindowResizeCallback(
      WTF::BindRepeating(&PictureInPictureWindow::OnResize,
                         WrapPersistent(picture_in_picture_window_.Get())));

See https://chromium-review.googlesource.com/c/chromium/src/+/1068066/6/third_party/blink/renderer/modules/picture_in_picture/picture_in_picture_controller_impl.cc

We could either fix it now by simply calling RegisterPictureInPictureWindowResizeCallback if GetWebMediaPlayer() is valid. Or we can wait for https://chromium-review.googlesource.com/c/chromium/src/+/1379049 to land.

What do you think Mounir?
Here's the WIP CL at https://chromium-review.googlesource.com/c/chromium/src/+/1397640 if you want to have a look.
fbeaufort, ClusterFuzz can't repro the issue. Can you repro this on trunk and other channels? If the issue is actually live, it may be better to land a fix so it can easily be merged to branches. My change will be way too large to be merged.
I can repro on trunk and stable.

1. Go to https://googlechrome.github.io/samples/picture-in-picture/
2. Open DevTools and run `video.onenterpictureinpicture = _ => { video.load(); }`
3. Click "Toggle Picture-in-Picture" button
4. Enjoy tab crashing!

If you can review CL at https://chromium-review.googlesource.com/c/chromium/src/+/1397640, I'll push and ask for merge.
Cc: -beaufort...@gmail.com
Is this a NULL pointer dereference? Or a use after free? If it is just a NULL pointer dereference, we can remove the security restrictions and you don't have to do any merging to previous branches.
AFAICT, this is a NULL pointer dereference. The fix is a null-check.
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable -Security_Severity-High -M-71 -Target-71 Type-Bug
Got it, thanks!
Status: Verified (was: Assigned)
Fixed and verified in Chrome Canary 73.0.3667.0 for macOS

Sign in to add a comment