[Webkit-unassigned] [Bug 51055] NULL deref in WebCore::HTMLEntitySearch::advance
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 14 14:26:48 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51055
--- Comment #1 from Thomas Sepez <tsepez at chromium.org> 2010-12-14 14:26:48 PST ---
Reported by aohelin, Dec 09 (5 days ago)
VULNERABILITY DETAILS
Opening the attached file causes a renderer segmentation fault. The crash looks like a null, behaves like a null and quacks like a null, so it is probably harmless. On the other hand it is in a core component and affects all versions of Chrome I tested, so reporting conservatively as a security issue.
I did not find a way to change the crash address or location.
VERSION
Chrome Version: Chromium 8.0.552.215 (Developer Build 67652) Ubuntu 10.10 (beta), Chrome 8.0.552.215 (Official Build 67652) (stable)
Operating System: Ubuntu 10.10, 32- and 64-bit
REPRODUCTION CASE
Open the attached parse.svg, or data:image/svg+xml,<!DOCTYPE foo PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" ""> <foo foo="&:;
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
Program received signal SIGSEGV, Segmentation fault.
WebCore::HTMLEntitySearch::advance (this=0xbfffd8cc, nextCharacter=58)
at third_party/WebKit/WebCore/html/parser/HTMLEntitySearch.cpp:124
124 third_party/WebKit/WebCore/html/parser/HTMLEntitySearch.cpp: No such file or directory.
in third_party/WebKit/WebCore/html/parser/HTMLEntitySearch.cpp
(gdb) bt 10
#0 WebCore::HTMLEntitySearch::advance (this=0xbfffd8cc, nextCharacter=58)
at third_party/WebKit/WebCore/html/parser/HTMLEntitySearch.cpp:124
#1 0xb674e3f3 in WebCore::decodeNamedEntity (name=0xb8241447 ":")
at third_party/WebKit/WebCore/html/parser/HTMLEntityParser.cpp:257
#2 0xb6af2a27 in getXHTMLEntity (closure=0xb8288400, name=0xb8241447 ":")
at third_party/WebKit/WebCore/dom/XMLDocumentParserLibxml2.cpp:1209
#3 WebCore::getEntityHandler (closure=0xb8288400, name=0xb8241447 ":")
at third_party/WebKit/WebCore/dom/XMLDocumentParserLibxml2.cpp:1241
#4 0xb62f61fc in xmlParseEntityRef (ctxt=0xb8288400)
at third_party/libxml/src/parser.c:7164
#5 0xb62fbd85 in xmlParseAttValueComplex (ctxt=0xb8288400,
len=<value optimized out>, alloc=0xbfffdaf0, normalize=0)
at third_party/libxml/src/parser.c:3701
#6 xmlParseAttValueInternal (ctxt=0xb8288400, len=<value optimized out>,
alloc=0xbfffdaf0, normalize=0) at third_party/libxml/src/parser.c:8578
#7 0xb62fc9ac in xmlParseAttribute2 (ctxt=0xb8288400,
pref=<value optimized out>, URI=0xbfffdb9c, tlen=0xbfffdbb0)
at third_party/libxml/src/parser.c:8634
#8 xmlParseStartTag2 (ctxt=0xb8288400, pref=<value optimized out>,
URI=0xbfffdb9c, tlen=0xbfffdbb0) at third_party/libxml/src/parser.c:8792
#9 0xb63031ad in xmlParseTryOrFinish (ctxt=0xb8288400,
terminate=<value optimized out>) at third_party/libxml/src/parser.c:10843
(More stack frames follow...)
(gdb) bt 2 full
#0 WebCore::HTMLEntitySearch::advance (this=0xbfffd8cc, nextCharacter=58)
at third_party/WebKit/WebCore/html/parser/HTMLEntitySearch.cpp:124
No locals.
#1 0xb674e3f3 in WebCore::decodeNamedEntity (name=0xb8241447 ":")
at third_party/WebKit/WebCore/html/parser/HTMLEntityParser.cpp:257
search = {m_currentLength = 1, m_currentValue = 0,
m_mostRecentMatch = 0x0, m_first = 0x0, m_last = 0x0}
entityValue = <value optimized out>
(More stack frames follow...)
(gdb) disas $eip-32, $eip+8
Dump of assembler code from 0xb674f35a to 0xb674f382:
0xb674f35a <WebCore::HTMLEntitySearch::advance(UChar)+42>: mov %edi,(%esp)
0xb674f35d <WebCore::HTMLEntitySearch::advance(UChar)+45>: call 0xb6868a80 <WebCore::HTMLEntityTable::firstEntryStartingWith(UChar)>
0xb674f362 <WebCore::HTMLEntitySearch::advance(UChar)+50>: mov %eax,0xc(%esi)
0xb674f365 <WebCore::HTMLEntitySearch::advance(UChar)+53>: mov %edi,(%esp)
0xb674f368 <WebCore::HTMLEntitySearch::advance(UChar)+56>: call 0xb6868ad0 <WebCore::HTMLEntityTable::lastEntryStartingWith(UChar)>
0xb674f36d <WebCore::HTMLEntitySearch::advance(UChar)+61>: mov (%esi),%edx
0xb674f36f <WebCore::HTMLEntitySearch::advance(UChar)+63>: mov %eax,0x10(%esi)
0xb674f372 <WebCore::HTMLEntitySearch::advance(UChar)+66>: lea 0x1(%edx),%eax
0xb674f375 <WebCore::HTMLEntitySearch::advance(UChar)+69>: mov 0xc(%esi),%edx
0xb674f378 <WebCore::HTMLEntitySearch::advance(UChar)+72>: mov %eax,(%esi)
=> 0xb674f37a <WebCore::HTMLEntitySearch::advance(UChar)+74>: cmp 0x4(%edx),%eax
0xb674f37d <WebCore::HTMLEntitySearch::advance(UChar)+77>: je 0xb674f3d3 <WebCore::HTMLEntitySearch::advance(UChar)+163>
0xb674f37f <WebCore::HTMLEntitySearch::advance(UChar)+79>: movl $0x0,0x4(%esi)
(gdb) info registers
eax 0x1 1
ecx 0xffffffd9 -39
edx 0x0 0
ebx 0xb80d1d14 -1207100140
esp 0xbfffd870 0xbfffd870
ebp 0xbfffd8a8 0xbfffd8a8
esi 0xbfffd8cc -1073751860
edi 0x3a 58
eip 0xb674f37a 0xb674f37a <WebCore::HTMLEntitySearch::advance(UChar)+74>
eflags 0x10286 [ PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list