[Webkit-unassigned] [Bug 77617] New: Bad cast in WebCore::toRenderBox

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 2 01:56:30 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77617

           Summary: Bad cast in WebCore::toRenderBox
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Chromium: http://code.google.com/p/chromium/issues/detail?id=112436

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=16846680

Fuzzer: Marty_html_twiddler

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7fe5572683f8
Crash State:
  - crash stack -
  WebCore::RenderBlock::~RenderBlock
  WebCore::RenderTextControl::~RenderTextControl
  WebCore::RenderDeprecatedFlexibleBox::layoutHorizontalBox

Regressed: https://cluster-fuzz.appspot.com/revisions?range=119626:119630

Minimized Testcase (1.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94gMSr9y7rMLAe7K4d-pZbpHlhhB8XNOqSJrPHPgQU9X3k9gToui6gxAMolrLaKfO8BCUCiVQNHzvL0t51Ada98MCjV59-8Aeg-VuWgcLfxjwA1u1DxoXCjqm5ZASZToTVBXK8FFh6WfgMihJlwaufcNUw8vA
<!DOCTYPE html>
<style>
.c1 { display: -webkit-inline-box; }
.c1:before { display: table-caption; float: right; content: no-close-quote; }
.c3 { display: block; }
.c17 { visibility: inherit; float: right;</style>
<script>
var nodes = Array();
var text = Array();
function boom() {
try { nodes[16] = document.createElement('colgroup'); } catch(e) {}
try { nodes[16].setAttribute('class', 'c3'); } catch(e) {}
try { document.documentElement.appendChild(nodes[16]); } catch(e) {}
try { nodes[18] = document.createElement('i'); } catch(e) {}
try { nodes[19] = document.createElement('td'); } catch(e) {}
try { nodes[19].setAttribute('class', 'c1'); } catch(e) {}
try { nodes[16].appendChild(nodes[19]); } catch(e) {}
try { nodes[33] = document.createElement('source'); } catch(e) {}
try { nodes[33].setAttribute('class', 'c17'); } catch(e) {}
try { nodes[19].appendChild(nodes[33]); } catch(e) {}
try { text[37] = document.createTextNode('1371803455'); } catch(e) {}
try { nodes[19].appendChild(text[37]); } catch(e) {}
setTimeout('try { nodes[18].appendChild(nodes[33]); } catch(e) {}', 282);
}
window.onload = boom;
</script>

Bad cast:

inline RenderBox* toRenderBox(RenderObject* object)
{ 
    ASSERT(!object || object->isBox());
    return static_cast<RenderBox*>(object);
}

00 003dd9a8 59c9834c webkit!WebCore::toRenderBox(class WebCore::RenderObject * object = 0x0256037c)+0x34 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.h @ 526]
01 003dd9b8 59d26ed4 webkit!WebCore::RenderBox::nextSiblingBox(void)+0x1c [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.h @ 546]
02 003dd9d0 59d272d6 webkit!WebCore::RenderDeprecatedFlexibleBox::calcHorizontalPrefWidths(void)+0x34 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderdeprecatedflexiblebox.cpp @ 155]
03 003dda4c 59c5d720 webkit!WebCore::RenderDeprecatedFlexibleBox::computePreferredLogicalWidths(void)+0x106 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderdeprecatedflexiblebox.cpp @ 194]
04 003dda5c 59c6295b webkit!WebCore::RenderBox::minPreferredLogicalWidth(void)+0x30 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.cpp @ 742]
05 003ddac8 59c62494 webkit!WebCore::RenderBox::computeLogicalWidthUsing(WebCore::LogicalWidthType widthType = LogicalWidth (0n0), int availableLogicalWidth = 0n1113)+0x10b [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.cpp @ 1737]
06 003ddb9c 59c620da webkit!WebCore::RenderBox::computeLogicalWidthInRegion(class WebCore::RenderRegion * region = 0x00000000, int offsetFromLogicalTopOfFirstPage = 0n0)+0x3a4 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.cpp @ 1682]
07 003ddbb0 59d27734 webkit!WebCore::RenderBox::computeLogicalWidth(void)+0x1a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderbox.cpp @ 1628]
08 003ddc54 59c987e0 webkit!WebCore::RenderDeprecatedFlexibleBox::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x154 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderdeprecatedflexiblebox.cpp @ 233]
09 003ddc70 59becbf0 webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
0a 003ddc80 59cdec2e webkit!WebCore::RenderObject::layoutIfNeeded(void)+0x30 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderobject.h @ 605]
0b 003ddd48 59c98d6c webkit!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren = false, int * repaintLogicalTop = 0x003dde54, int * repaintLogicalBottom = 0x003dde48)+0x35e [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblocklinelayout.cpp @ 1492]
0c 003ddee4 59c987e0 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x53c [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1328]
0d 003ddf00 59c9c82a webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
0e 003ddfa8 59c9c4f8 webkit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x025863bc, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x003de008, int * previousFloatLogicalBottom = 0x003ddff8, int * maxFloatLogicalBottom = 0x003de160)+0x27a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2115]
0f 003de070 59c98d82 webkit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = false, int * maxFloatLogicalBottom = 0x003de160)+0x398 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2052]
10 003de208 59c987e0 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x552 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1332]
11 003de224 59c9c82a webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
12 003de2cc 59c9c4f8 webkit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00a9f34c, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x003de32c, int * previousFloatLogicalBottom = 0x003de31c, int * maxFloatLogicalBottom = 0x003de484)+0x27a [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2115]
13 003de394 59c98d82 webkit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = false, int * maxFloatLogicalBottom = 0x003de484)+0x398 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2052]
14 003de52c 59c987e0 webkit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x552 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1332]
15 003de548 59be800d webkit!WebCore::RenderBlock::layout(void)+0x40 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1202]
16 003de5ec 59f946bd webkit!WebCore::RenderView::layout(void)+0x1fd [c:\src\chromium-internal\src\third_party\webkit\source\webcore\rendering\renderview.cpp @ 137]
17 003de720 59f97f28 webkit!WebCore::FrameView::layout(bool allowSubtree = true)+0x94d [c:\src\chromium-internal\src\third_party\webkit\source\webcore\page\frameview.cpp @ 1111]
18 003de730 59f9d699 webkit!WebCore::FrameView::layoutTimerFired(class WebCore::Timer<WebCore::FrameView> * __formal = 0x02542980)+0x18 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\page\frameview.cpp @ 1962]
19 003de744 5a58b8d9 webkit!WebCore::Timer<WebCore::FrameView>::fired(void)+0x29 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\platform\timer.h @ 100]
1a 003de77c 5a58b7f6 webkit!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0xd9 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\platform\threadtimers.cpp @ 115]
1b 003de784 63e13efb webkit!WebCore::ThreadTimers::sharedTimerFired(void)+0x16 [c:\src\chromium-internal\src\third_party\webkit\source\webcore\platform\threadtimers.cpp @ 94]
1c 003de794 63eac5e0 glue!webkit_glue::WebKitPlatformSupportImpl::DoTimeout(void)+0x2b [c:\src\chromium-internal\src\webkit\glue\webkitplatformsupport_impl.h @ 149]
...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list