Attaching test-case-1. Sorry for such a fat SVG file, I'm in hurry and won't be soon near my workstation. This test-case is related to dbg-1.tar.gz.

test-case-1.tar.gz 3.6 KB Download

Thank you for the nice bug.

In the future, can you please attach the testcase and stacktrace directly to the bug without zipping it. In fact, smaller testcases and stack, you can paste directly in the comments.

test-case-2 reproduces perfectly, but it is not fully reproduced. Also, i don't think you need 2 files. If you can fully reduce the testcase and have a clear repro, you will qualify for the higher reward. Want to give it a shot ?

Upstreamed - https://bugs.webkit.org/show_bug.cgi?id=66335

Ok, will do so.

I will try to reduce testcase, albeit I can't promise to do that fast - unfortunately, currently I am quite limited to internet. Hope to provide reduced testcase in a couple of days.

Also, how do you mean "not fully reproduced" - it works not always or file is just too bloated? On dev and beta under windows it worked always for me.

And do you need smaller repro for test-case-1?

They are the same bug, isn't it. So, we need reduction for only one. For now, i reduced it, this will serve as an example for your future reports. By reduced, we mean smaller and cleaner testcase

<!DOCTYPE html>
<html>
<script>
function runTest() {
    svgdoc = document.getElementById('root').contentDocument;
    var style = document.createElement('style');
    var test1 = svgdoc.getElementById('test1');
    test1.appendChild(style);
    svgdoc.getElementById('test2').setAttribute('xlink:href', 0);
    svgdoc.getElementById('test').setAttribute('stroke', 0);

}
</script>
<object data="animate-elem-77-t.svg" id="root" onload="runTest();" type="image/svg+xml"></object>
</html>

----animate-elem-77-t.svg----
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="test">
<text id="test1">PASS</text>
</g>
<use id="test2" xlink:href="#test"/>
<use xlink:href="#test"/>
<set attributeName="font-style" to="italic"/>
</svg>

http://trac.webkit.org/changeset/93227

Great, thanks a lot, inferno!

Ax330d, the pleasure is all ours, keep your fuzzers rocking!!

@Ax330d: thanks for this report, and it's my pleasure to offer you a $1000 Chromium Security Reward -- congrats!

It's always good to see new researchers, so I hope you have more research planned ;-)

We reward at the higher $1000 level for good quality reports. To be sure of getting the higher reward amount in the future, please make sure to strip any unneeded constructs out of the repro files, and keep them as small and tidy as possible.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----

Nice, pleasure to work with you :)

Merged to M14: http://trac.webkit.org/changeset/93497

@Ax330d: with what name would you like to be credited?

@scarybeasts, you can use my real name - Arthur Gerkis.

Payment is in system.

Batch update.

Marking old security bugs Fixed..

This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot