New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner: ----
Closed: Sep 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Use-after-free when font is missing

Reported by, Sep 26 2011 Back to list

Issue description


Chrome Version: 
Chromium	16.0.893.0 (Developer Build 102749)
OS	Linux
WebKit	535.5 (trunk@95959)

Operating System: 64bit linux


Type of crash: renderer
Crash State: 

==25708== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe39b3890 at pc 0x7ffff378700a bp 0x7fffffff5490 sp 0x7fffffff5460
READ of size 4 at 0x7fffe39b3890 thread T0
    #0 0x7ffff378700a in WebCore::RenderInline::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const ???:0
    #1 0x7ffff3913c16 in WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const ???:0

0x7fffe39b3890 is located 16 bytes inside of 1208-byte region [0x7fffe39b3880,0x7fffe39b3d38)
freed by thread T0 here:
    #0 0x7ffff5e2749a in free _asan_rtl_
    #1 0x7ffff359f4ed in WebCore::CSSFontFaceSource::pruneTable() ???:0
    #2 0x7ffff359f731 in WebCore::CSSFontFaceSource::fontLoaded(WebCore::CachedFont*) ???:0

12.9 KB View Download
282 bytes View Download

Comment 1 by, Sep 26 2011

jump to 0

==25941== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc (nil) sp 0x7fffffff9ab8 bp 0x7fffffff9f50 ax 0x7fffe07f0930 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7ffff5e27ae8 in ASAN_OnSIGSEGV _asan_rtl_
    #1 0x7fffeab2bc60 in __restore_rt ??:0
    #2 0x7ffff362810e in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0
    #3 0x7ffff386c1b2 in WebCore::RenderTable::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0
    #4 0x7ffff383eb4e in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) ???:0

2.5 KB View Download
3.6 KB View Download
303 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-14 Stability-AddressSanitizer
Status: Available
If you see the stack, you will realize, we need to fix this in Mitz' patch - the crash stack hasn't changed after my fix because the underlying r94508 wasn't able to delay the font retirement.
Labels: reward-topanel
Summary: Use-after-free when font is missing (was: NULL)
Upstreamed -
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
This is again a specific fix and not a generic one.

Comment 5 by, Sep 29 2011

here's the repro that is still crashing
609 bytes View Download

Comment 6 by, Sep 29 2011

asan log for that 
12.3 KB View Download
Labels: -Merge-Approved Merge-Merged merge-merged-874
merged to m15 in r96369
Labels: -Mstone-14 Mstone-15
Labels: SecImpacts-Stable
Batch update.
Labels: -reward-topanel reward-1000 reward-unpaid
Thanks for all these stale style bugs, miaubiz. We think we've got a good defense now to making these stale style bugs unexploitable, but we'll pay $1000 per well-reported bug up until that point. $1000 for this one. Forgive the brevity on upcoming rewards :)

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: CVE-2011-3885
Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.

Comment 13 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 14 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 15 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable Cr-Content Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member

Comment 16 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 17 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 19 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 20 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 21 by, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 22 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 23 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 24 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment