[Webkit-unassigned] [Bug 38039] New: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV at Arbitrary (deef89ee3d0345edebeaf13cf974c47c)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 23 02:10:10 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38039

           Summary: WebCore::WebGLUnsignedIntArrayInternal::getCallback
                    ReadAV at Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://jssh.skypher.com/4.4/Main.html?command%3Dnew%20
                    WebGLUnsignedIntArray(0,%208).get(0x20000000);%0A&exec
                    ute
        OS/Version: Windows Vista
            Status: NEW
          Severity: Blocker
          Priority: P1
         Component: WebGL
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Chromium bug:   http://code.google.com/p/chromium/issues/detail?id=42396
Repro:          new WebGLUnsignedIntArray(0, 8).get(0x20000000);
Problem:        get method does not check sanity of argument.
id:             WebCore::WebGLUnsignedIntArrayInternal::getCallback
ReadAV at Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
description:    Security: Attempt to read from arbitrary memory @ 0x831A0C48 in
WebCore::WebGLUnsignedIntArrayInternal::getCallback
stack:          WebCore::WebGLUnsignedIntArrayInternal::getCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Script::Run
                WebCore::V8Proxy::runScript
                WebCore::V8Proxy::evaluate
                WebCore::ScriptController::evaluate
                WebCore::ScriptController::executeScript
                WebCore::HTMLTokenizer::scriptExecution
                WebCore::HTMLTokenizer::scriptHandler
                WebCore::HTMLTokenizer::parseNonHTMLText
                WebCore::HTMLTokenizer::parseTag
                WebCore::HTMLTokenizer::write
                WebCore::FrameLoader::write
                WebCore::FrameLoader::endIfNotLoadingMainResource
                WebCore::FrameLoader::finishedLoading
                WebCore::MainResourceLoader::didFinishLoading
                WebCore::ResourceLoader::didFinishLoading
                webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                ResourceDispatcher::OnRequestComplete
                IPC::MessageWithTuple<...>
                ResourceDispatcher::DispatchMessageW
                ResourceDispatcher::OnMessageReceived
                ChildThread::OnMessageReceived
                RunnableMethod<...>::Run
                MessageLoop::RunTask
                MessageLoop::DoWork
                base::MessagePumpDefault::Run
                MessageLoop::RunInternal
                MessageLoop::Run
                RendererMain

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list