New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Closed: Oct 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
More stale styles in listmarkers
Project Member Reported by, Sep 22 2011 Back to list
credit: miaubiz

li:before {
    content: "B";

@font-face { font-family: "A"; src: url(); }
body { font-family: A; }
document.body.offsetTop; = "blue";
Comment 2 by, Sep 23 2011
I think these are the same, but just in case :D
536 bytes View Download
416 bytes View Download
Comment 3 by, Sep 25 2011
first-letter instead of before. same thing.
150 bytes View Download
Thanks a lot Miaubiz for the additional testcases.

Mergedinto: 97994
Status: Duplicate
Status: Available
Reopening since generic fix is not enough. There are certain cases where we can't delay font retirement, so like we need to fix these security bugs alongwith functional issue.

Comment #9 From 2011-09-28 13:26:48 PST (-) [reply] 
I can see a reclacStyle(Force) taking place, with a brand new FontSelector, after the old FontSelector’s document is cleared. So the issue remains that style recalc is not updating all renderers as it should. I can’t think of a reasonable way to defer the font deletion in cases like this. We should just fix the style recalc bugs.
Comment 7 by, Sep 29 2011
putting this repro here where I think it belongs
609 bytes View Download
12.3 KB View Download
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: thanks for uncovering these list marker issues! $1000 for this one too.

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Comment 9 by, Oct 3 2011
but it's not even fixed yet :|
Labels: -Mstone-14 Mstone-15
Oh balls. Looks like a mix up between myself and Inferno. Still, seems like it'll be good for the reward once we fix it :)
Comment 11 by, Oct 4 2011
with vertical text orientation the stack changes

==4561== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe38d050d at pc 0x7ffff3580ea2 bp 0x7fffffff69d0 sp 0x7fffffff68e0
READ of size 1 at 0x7fffe38d050d thread T0
    #0 0x7ffff3580ea2 in WebCore::InlineFlowBox::requiresIdeographicBaseline(WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > > const&) const ???:0

      li:before {
        content: "B";
      @font-face { font-family:"A"; src: url(); }
      li { font-family: A;

11.3 KB View Download
412 bytes View Download
Status: Started
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged merge-merged-874 SecImpacts-Stable SecImpacts-Beta
merged to m15 in r97086
Labels: CVE-2011-3885
Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.
Comment 17 by, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 18 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 19 by, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 20 by, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 21 by, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 23 by, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 24 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 25 by, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 26 by, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 27 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 28 by, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 29 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 30 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment