[Webkit-unassigned] [Bug 30827] New: Off-by-one hard-to-trigger memory corruption in CSSParser
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 27 10:31:12 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=30827
Summary: Off-by-one hard-to-trigger memory corruption in
CSSParser
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: evan at chromium.org
See http://code.google.com/p/chromium/issues/detail?id=23362 for the gory
details. Here's a summary of multiple people's hard work.
Build WebKit with GCC 4.4 and use either:
- glibc's MALLOC_CHECK support
- valgrind
and find that some pages cause, respectively, either a crash or an invalid
read/write.
Example URLs:
http://artofapogee.blogspot.com/2009/05/ubuntu-my-2009-t-shirt-design.html
http://msnbc.com
http://www.cs.colorado.edu/~jessup/lapack/
The crash is due to a double free in WebCore::~CSSParser, but that could be due
to memory corruption.
A partial backtrace at the invalid write found by valgrind follows:
#0 0x0000000001a811a0 in WebCore::CSSParser::lex (this=0x7feffd780) at
../css/tokenizer.flex:47
#1 0x0000000001a7ef4e in WebCore::CSSParser::lex (this=0x7feffd780,
yylvalWithoutType=0x7feffd1e0)
at third_party/WebKit/WebCore/css/CSSParser.cpp:4607
#2 0x0000000001c7e8aa in cssyylex (cssyylval=0x7feffd1e0, parser=0x7feffd780)
at
/home/shenki/src/chromium/src/third_party/WebKit/WebCore/css/CSSGrammar.y:95
#3 0x0000000001c7eb2e in cssyyparse (parser=0x7feffd780) at
out/Debug/obj.target/geni/CSSGrammar.cpp:2060
#4 0x0000000001a6ebc5 in WebCore::CSSParser::parseSheet (this=0x7feffd780,
sheet=0x101b32c0, string=...)
at third_party/WebKit/WebCore/css/CSSParser.cpp:225
#5 0x0000000001ad617d in WebCore::CSSStyleSheet::parseString (this=0x101b32c0,
string=..., strict=false)
at third_party/WebKit/WebCore/css/CSSStyleSheet.cpp:167
#6 0x00000000014972ec in WebCore::HTMLLinkElement::setCSSStyleSheet
(this=0x1013e050, url=..., charset=..., sheet=0x1013eef0)
at third_party/WebKit/WebCore/html/HTMLLinkElement.cpp:269
#7 0x00000000014f22d7 in WebCore::CachedCSSStyleSheet::checkNotify
(this=0x1013eef0)
at third_party/WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:115
#8 0x00000000014f21c3 in WebCore::CachedCSSStyleSheet::data (this=0x1013eef0,
data=..., allDataReceived=true)
at third_party/WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:103
The CSS for the lapack URL does not cause a crash if the size of the file is
adjusted by any number of bytes(!!), smaller or larger. It also does not cause
a crash if the error in the css is fixed (line 98, add a closing brace).
If you add 1 to the data malloc'd in WebCore/css/CSSParser.cpp line 199, it
works around the issue.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list