[Webkit-unassigned] [Bug 25567] Crash when writing into a detached TITLE element
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 17 05:14:53 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25567
skylined at chromium.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Group| |Security-Sensitive
------- Comment #5 from skylined at chromium.org 2009-06-17 05:14 PDT -------
I am seeing a few reports of a ReadAV
[NULL+0x1C]@chrome!MallocExtension::ReleaseFreeMemory+0x314e with this stack
for the same repro:
chrome!MallocExtension::ReleaseFreeMemory+0x314e
chrome!MallocExtension::ReleaseFreeMemory+0x68d38
chrome!MallocExtension::GetNumericProperty+0x66139
chrome!MallocExtension::ReadStackTraces+0xa930b
chrome!MallocExtension::ReadStackTraces+0xa94db
chrome!MallocExtension::ReadStackTraces+0xaa00c
chrome!tcmalloc::StackTraceTable::bucket_total+0x102a37
chrome!tcmalloc::StackTraceTable::depth_total+0x2a7a
chrome!tcmalloc::StackTraceTable::depth_total+0x35d1
chrome!tcmalloc::StackTraceTable::depth_total+0x3ce7
chrome!tcmalloc::StackTraceTable::depth_total+0x4041
chrome!tcmalloc::StackTraceTable::depth_total+0xb49
chrome!MallocExtension::GetEstimatedAllocatedSize+0xce1c7
chrome!_sbrk+0x4ca4a
chrome!_sbrk+0x780a1
chrome!_sbrk+0x4bfd7
chrome!_sbrk+0x4c400
chrome!_sbrk+0x4c70d
chrome!_sbrk+0x5fc4a
chrome!_sbrk+0x5e7dd
kernel32!GetModuleFileNameA+0x1ba
This may be an indication that this is exploitable. I am seeing no other
crashes or non-NULL values in the pointers, so I am not overly worried. Marking
as security just in case... feel free to remove the flag if you find the root
cause and determine it is not exploitable.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list