[Webkit-unassigned] [Bug 30827] New: Off-by-one hard-to-trigger memory corruption in CSSParser

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 27 10:31:12 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=30827

           Summary: Off-by-one hard-to-trigger memory corruption in
                    CSSParser
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: evan at chromium.org


See http://code.google.com/p/chromium/issues/detail?id=23362 for the gory
details.  Here's a summary of multiple people's hard work.

Build WebKit with GCC 4.4 and use either:
 - glibc's MALLOC_CHECK support
 - valgrind
and find that some pages cause, respectively, either a crash or an invalid
read/write.

Example URLs:
  http://artofapogee.blogspot.com/2009/05/ubuntu-my-2009-t-shirt-design.html
  http://msnbc.com
  http://www.cs.colorado.edu/~jessup/lapack/

The crash is due to a double free in WebCore::~CSSParser, but that could be due
to memory corruption.
A partial backtrace at the invalid write found by valgrind follows:

#0  0x0000000001a811a0 in WebCore::CSSParser::lex (this=0x7feffd780) at
../css/tokenizer.flex:47
#1  0x0000000001a7ef4e in WebCore::CSSParser::lex (this=0x7feffd780,
yylvalWithoutType=0x7feffd1e0)
    at third_party/WebKit/WebCore/css/CSSParser.cpp:4607
#2  0x0000000001c7e8aa in cssyylex (cssyylval=0x7feffd1e0, parser=0x7feffd780)
    at
/home/shenki/src/chromium/src/third_party/WebKit/WebCore/css/CSSGrammar.y:95
#3  0x0000000001c7eb2e in cssyyparse (parser=0x7feffd780) at
out/Debug/obj.target/geni/CSSGrammar.cpp:2060
#4  0x0000000001a6ebc5 in WebCore::CSSParser::parseSheet (this=0x7feffd780,
sheet=0x101b32c0, string=...)
    at third_party/WebKit/WebCore/css/CSSParser.cpp:225
#5  0x0000000001ad617d in WebCore::CSSStyleSheet::parseString (this=0x101b32c0,
string=..., strict=false)
    at third_party/WebKit/WebCore/css/CSSStyleSheet.cpp:167
#6  0x00000000014972ec in WebCore::HTMLLinkElement::setCSSStyleSheet
(this=0x1013e050, url=..., charset=..., sheet=0x1013eef0)
    at third_party/WebKit/WebCore/html/HTMLLinkElement.cpp:269
#7  0x00000000014f22d7 in WebCore::CachedCSSStyleSheet::checkNotify
(this=0x1013eef0)
    at third_party/WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:115
#8  0x00000000014f21c3 in WebCore::CachedCSSStyleSheet::data (this=0x1013eef0,
data=..., allDataReceived=true)
    at third_party/WebKit/WebCore/loader/CachedCSSStyleSheet.cpp:103

The CSS for the lapack URL does not cause a crash if the size of the file is
adjusted by any number of bytes(!!), smaller or larger.  It also does not cause
a crash if the error in the css is fixed (line 98, add a closing brace).

If you add 1 to the data malloc'd in WebCore/css/CSSParser.cpp line 199, it
works around the issue.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list