[Webkit-unassigned] [Bug 80866] New: Crash in WebKit!WebCore::FontFallbackList::determinePitch+0x14.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 12 12:11:48 PDT 2012


https://bugs.webkit.org/show_bug.cgi?id=80866

           Summary: Crash in
                    WebKit!WebCore::FontFallbackList::determinePitch+0x14.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: netfuzzer at gmail.com


Tested on Windows 7 SP1.
Apple Safari 5.1.2 and Webkit Nightly Builds r110430.

Reproduce:
1. Open file PoC.html.
2. Wait...
3. See the crash

Well, we have a CALL after the crash. Since is a persistent null ptr. Don't looks exploitable. 

Stacktrace(from Webkit Nightly Build)
===========================
(123c.d70): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7f8a6784 ecx=c7d49551 edx=7ff4a200 esi=7f527910 edi=00000000
eip=5698c224 esp=0029dc5c ebp=0029dc64 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
WebKit!WebCore::FontFallbackList::determinePitch+0x14:
5698c224 8b17            mov     edx,dword ptr [edi]  ds:0023:00000000=????????
0:000> .exr -1
ExceptionAddress: 5698c224 (WebKit!WebCore::FontFallbackList::determinePitch+0x00000014)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
0:000> .lastevent
Last event: 123c.d70: Access violation - code c0000005 (!!! second chance !!!)
  debugger time: Mon Mar 12 16:09:19.556 2012 (UTC - 3:00)
0:000> kp
ChildEBP RetAddr  
0029dc64 566df846 WebKit!WebCore::FontFallbackList::determinePitch(class WebCore::Font * font = 0x7fb8ad94)+0x14 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\graphics\fontfallbacklist.cpp @ 79]
0029dd44 566eaef0 WebKit!WebCore::RenderText::computePreferredLogicalWidths(float leadWidth = 0, class WTF::HashSet<WebCore::SimpleFontData const *,WTF::PtrHash<WebCore::SimpleFontData const *>,WTF::HashTraits<WebCore::SimpleFontData const *> > * fallbackFonts = 0x0029dd60, struct WebCore::GlyphOverflow * glyphOverflow = 0x0029dd74)+0x936 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\rendertext.cpp @ 993]
0029dd88 566d19c1 WebKit!WebCore::RenderText::computePreferredLogicalWidths(float leadWidth = 0)+0x40 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\rendertext.cpp @ 877]
0029ddec 5670eb98 WebKit!WebCore::RenderText::trimmedPrefWidths(float leadWidth = 0, float * beginMinW = 0x0029de58, bool * beginWS = 0x0029de8a, float * endMinW = 0x0029de44, bool * endWS = 0x0029de8b, bool * hasBreakableChar = 0x0029de7a, bool * hasBreak = 0x0029de7b, float * beginMaxW = 0x0029de74, float * endMaxW = 0x0029de7c, float * minW = 0x0029de98, float * maxW = 0x0029de9c, bool * stripFrontSpaces = 0x0029dea3)+0x51 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\rendertext.cpp @ 776]
0029deb0 56738c35 WebKit!WebCore::RenderBlock::computeInlinePreferredLogicalWidths(void)+0x558 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 5598]
0029dee0 566b0917 WebKit!WebCore::RenderBlock::computePreferredLogicalWidths(void)+0x135 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 5262]
0029dee8 566c1de0 WebKit!WebCore::RenderBox::minPreferredLogicalWidth(void)+0x17 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 816]
0029df38 56738c3c WebKit!WebCore::RenderBlock::computeBlockPreferredLogicalWidths(void)+0x230 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 5734]
0029df68 566b0917 WebKit!WebCore::RenderBlock::computePreferredLogicalWidths(void)+0x13c [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 5265]
0029df70 56709122 WebKit!WebCore::RenderBox::minPreferredLogicalWidth(void)+0x17 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 816]
0029df9c 5672a558 WebKit!WebCore::RenderBox::computeLogicalWidthInRegionUsing(WebCore::LogicalWidthType widthType = LogicalWidth (0n0), int availableLogicalWidth = 0n1663236, class WebCore::RenderBlock * cb = 0x7f8a6e7c, class WebCore::RenderRegion * region = 0x00000000, int offsetFromLogicalTopOfFirstPage = 0n0)+0x152 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 1853]
0029dfe8 5672f249 WebKit!WebCore::RenderBox::computeLogicalWidthInRegion(class WebCore::RenderRegion * region = 0x00000000, int offsetFromLogicalTopOfFirstPage = 0n1663236)+0x328 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 1794]
0029dff4 56755264 WebKit!WebCore::RenderBox::computeLogicalWidth(void)+0x9 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderbox.cpp @ 1740]
0029e070 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = false, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0xa4 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1442]
0029e090 567034af WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029e0a8 5673f5e5 WebKit!WebCore::RenderBlock::insertFloatingObject(class WebCore::RenderBox * o = 0x7f6e41b8)+0x1af [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 3565]
0029e288 56746079 WebKit!WebCore::RenderBlock::LineBreaker::nextLineBreak(class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0029e3b8, class WebCore::LineInfo * lineInfo = 0x0029e4ec, struct std::pair<WebCore::RenderText *,WebCore::LazyLineBreakIterator> * lineBreakIteratorInfo = 0x0029e2ec, struct WebCore::RenderBlock::FloatingObject * lastFloatFromPreviousLine = 0x00000000, unsigned int consecutiveHyphenatedLines = 0)+0x535 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 2231]
0029e364 56747b72 WebKit!WebCore::RenderBlock::layoutRunsAndFloatsInRange(class WebCore::LineLayoutState * layoutState = 0x0029e4d8, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0029e3b8, class WebCore::InlineIterator * cleanLineStart = 0x0029e39c, struct WebCore::BidiStatus * cleanLineBidiStatus = 0x0029e38c, unsigned int consecutiveHyphenatedLines = 0)+0x159 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1254]
0029e4bc 56747f4f WebKit!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0029e4d8, bool hasInlineChild = true)+0x2c2 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1219]
0029e534 567555dd WebKit!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren = true, int * repaintLogicalTop = 0x0029e5b4, int * repaintLogicalBottom = 0x0029e501)+0x37f [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1519]
0029e5bc 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = true, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x41d [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1537]
0029e5dc 567034af WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029e5f4 5673f5e5 WebKit!WebCore::RenderBlock::insertFloatingObject(class WebCore::RenderBox * o = 0x7f6e4140)+0x1af [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 3565]
0029e7d4 56746079 WebKit!WebCore::RenderBlock::LineBreaker::nextLineBreak(class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0029e904, class WebCore::LineInfo * lineInfo = 0x0029ea38, struct std::pair<WebCore::RenderText *,WebCore::LazyLineBreakIterator> * lineBreakIteratorInfo = 0x0029e838, struct WebCore::RenderBlock::FloatingObject * lastFloatFromPreviousLine = 0x00000000, unsigned int consecutiveHyphenatedLines = 0)+0x535 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 2231]
0029e8b0 56747b72 WebKit!WebCore::RenderBlock::layoutRunsAndFloatsInRange(class WebCore::LineLayoutState * layoutState = 0x0029ea24, class WebCore::BidiResolver<WebCore::InlineIterator,WebCore::BidiRun> * resolver = 0x0029e904, class WebCore::InlineIterator * cleanLineStart = 0x0029e8e8, struct WebCore::BidiStatus * cleanLineBidiStatus = 0x0029e8d8, unsigned int consecutiveHyphenatedLines = 0)+0x159 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1254]
0029ea08 56747f4f WebKit!WebCore::RenderBlock::layoutRunsAndFloats(class WebCore::LineLayoutState * layoutState = 0x0029ea24, bool hasInlineChild = true)+0x2c2 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1219]
0029ea80 567555dd WebKit!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren = true, int * repaintLogicalTop = 0x0029eb00, int * repaintLogicalBottom = 0x0029ea01)+0x37f [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblocklinelayout.cpp @ 1519]
0029eb08 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = true, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x41d [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1537]
0029eb28 56752dcb WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029eb70 56755191 WebKit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00000000, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0029eb94, int * previousFloatLogicalBottom = 0x0129ebc4, int * maxFloatLogicalBottom = 0x0029ec48)+0x26b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2337]
0029ebdc 567555ee WebKit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = true, int * maxFloatLogicalBottom = 0x0029ec48)+0x301 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2246]
0029ec60 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = true, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x42e [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1541]
0029ec80 56752dcb WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029ecc8 56755191 WebKit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00000000, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0029ecec, int * previousFloatLogicalBottom = 0x0129ed1c, int * maxFloatLogicalBottom = 0x0029eda0)+0x26b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2337]
0029ed34 567555ee WebKit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = true, int * maxFloatLogicalBottom = 0x0029eda0)+0x301 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2246]
0029edb8 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = true, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x42e [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1541]
0029edd8 56752dcb WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029ee20 56755191 WebKit!WebCore::RenderBlock::layoutBlockChild(class WebCore::RenderBox * child = 0x00000000, class WebCore::RenderBlock::MarginInfo * marginInfo = 0x0029ee44, int * previousFloatLogicalBottom = 0x0129ee74, int * maxFloatLogicalBottom = 0x0029eef8)+0x26b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2337]
0029ee8c 567555ee WebKit!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren = true, int * maxFloatLogicalBottom = 0x0029eef8)+0x301 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 2246]
0029ef10 566c14e0 WebKit!WebCore::RenderBlock::layoutBlock(bool relayoutChildren = true, int pageLogicalHeight = 0n0, WebCore::RenderBlock::BlockLayoutPass layoutPass = NormalLayoutPass (0n0))+0x42e [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1541]
0029ef30 566fe84d WebKit!WebCore::RenderBlock::layout(void)+0x30 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderblock.cpp @ 1401]
0029efb4 56938e2a WebKit!WebCore::RenderView::layout(void)+0x20d [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderview.cpp @ 137]
0029eff8 56810926 WebKit!WebCore::FrameView::layout(bool allowSubtree = true)+0x52a [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\page\frameview.cpp @ 1072]
0029f008 5674aa69 WebKit!WebCore::Document::updateLayout(void)+0x66 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 1704]
0029f04c 56814e25 WebKit!WebCore::RenderLayer::hitTest(class WebCore::HitTestRequest * request = 0x0029f1bc, class WebCore::HitTestResult * result = 0x0029f0a0)+0x19 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\rendering\renderlayer.cpp @ 3135]
0029f0e4 56ae350b WebKit!WebCore::Document::prepareMouseEvent(class WebCore::HitTestRequest * request = 0x0029f1bc, class WebCore::IntPoint * documentPoint = 0x0029f10c, class WebCore::PlatformMouseEvent * event = 0x0029f23c)+0x65 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\dom\document.cpp @ 2866]
0029f114 56ae9100 WebKit!WebCore::EventHandler::prepareMouseEvent(class WebCore::HitTestRequest * request = 0x0029f1bc, class WebCore::PlatformMouseEvent * mev = 0x0029f23c)+0x4b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\page\eventhandler.cpp @ 2070]
0029f1d0 56ae9893 WebKit!WebCore::EventHandler::handleMouseMoveEvent(class WebCore::PlatformMouseEvent * mouseEvent = 0x0029f23c, class WebCore::HitTestResult * hoveredNode = 0x0029f1ec, bool onlyUpdateScrollbars = true)+0x190 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\page\eventhandler.cpp @ 1749]
0029f228 5661f73e WebKit!WebCore::EventHandler::passMouseMovedEventToScrollbars(class WebCore::PlatformMouseEvent * event = 0x0029f23c)+0x23 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\page\eventhandler.cpp @ 1703]
0029f26c 566204c6 WebKit!WebKit::handleMouseEvent(class WebKit::WebMouseEvent * mouseEvent = 0xc7d49551, class WebKit::WebPage * page = 0x00000000, bool onlyUpdateScrollbars = true)+0x9e [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webpage\webpage.cpp @ 1264]
0029f28c 5667f041 WebKit!WebKit::WebPage::mouseEvent(class WebKit::WebMouseEvent * mouseEvent = 0x0029f201)+0x76 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webpage\webpage.cpp @ 1296]
0029f2d0 56680196 WebKit!CoreIPC::handleMessage<Messages::WebPage::MouseEvent,WebKit::WebPage,void (class CoreIPC::ArgumentDecoder * argumentDecoder = 0x7f6e49d8, class WebKit::WebPage * object = 0x7fec6c80, <function> * function = 0x56620450)+0x31 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\platform\coreipc\handlemessage.h @ 297]
0029f2e8 5661d47f WebKit!WebKit::WebPage::didReceiveWebPageMessage(class CoreIPC::Connection * __formal = 0x7fe92c00, class CoreIPC::MessageID messageID = class CoreIPC::MessageID, class CoreIPC::ArgumentDecoder * arguments = 0x7f6e49d8)+0xf6 [c:\cygwin\home\buildbot\slave\win-release\build\webkitbuild\release\obj\webkit\derivedsources\webpagemessagereceiver.cpp @ 106]
0029f300 565fe235 WebKit!WebKit::WebPage::didReceiveMessage(class CoreIPC::Connection * connection = 0x7fe92c00, class CoreIPC::MessageID messageID = class CoreIPC::MessageID, class CoreIPC::ArgumentDecoder * arguments = 0x7f6e49d8)+0x6f [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webpage\webpage.cpp @ 2469]
0029f320 565fcc5e WebKit!WebKit::WebProcess::didReceiveMessage(class CoreIPC::Connection * connection = 0x7fe92c00, class CoreIPC::MessageID messageID = class CoreIPC::MessageID, class CoreIPC::ArgumentDecoder * arguments = 0x7f6e49d8)+0x175 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webprocess.cpp @ 668]
0029f340 5667a2d2 WebKit!WebKit::WebConnectionToUIProcess::didReceiveMessage(class CoreIPC::Connection * connection = 0x7fe92c00, class CoreIPC::MessageID messageID = class CoreIPC::MessageID, class CoreIPC::ArgumentDecoder * arguments = 0x7f6e49d8)+0xfe [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webconnectiontouiprocess.cpp @ 87]
0029f360 5667a3bf WebKit!CoreIPC::Connection::dispatchMessage(class CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder> * message = 0x0029f378)+0x72 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\platform\coreipc\connection.cpp @ 694]
0029f380 56688012 WebKit!CoreIPC::Connection::dispatchMessages(void)+0x7f [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\platform\coreipc\connection.cpp @ 719]
0029f390 56687b63 WebKit!WebCore::RunLoop::performWork(void)+0x32 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\runloop.cpp @ 67]
0029f39c 765ac4e7 WebKit!WebCore::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x000305cc, unsigned int message = 0x401, unsigned int wParam = 0x7fe997c0, long lParam = 0n0)+0x43 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\win\runloopwin.cpp @ 42]
0029f3c8 765ac5e7 USER32!InternalCallWinProc+0x23
0029f440 765acc19 USER32!UserCallWinProcCheckWow+0x14b
0029f4a0 765acc70 USER32!DispatchMessageWorker+0x35e
0029f4b0 56687681 USER32!DispatchMessageW+0xf
0029f4e4 5662657e WebKit!WebCore::RunLoop::run(void)+0x41 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\win\runloopwin.cpp @ 76]
0029f4f8 565fcde6 WebKit!WebKit::WebProcessMain(class WebKit::CommandLine * commandLine = 0x0029f52c)+0xde [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\win\webprocessmainwin.cpp @ 84]
0029f518 565fce8c WebKit!WebKitMain(class WebKit::CommandLine * commandLine = 0x00000000)+0x116 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 59]
0029f544 00191098 WebKit!WebKitMain(struct HINSTANCE__ * hInstance = 0x00190000, struct HINSTANCE__ * hPrevInstance = 0x00000000, wchar_t * lpstrCmdLine = 0x00391dae "-type webprocess -clientIdentifier 972", int nCmdShow = 0n10)+0x9c [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\webprocess\webkitmain.cpp @ 187]
0029f774 00191258 WebKit2WebProcess!wWinMain(struct HINSTANCE__ * hInstance = 0x00190000, struct HINSTANCE__ * hPrevInstance = 0x00000000, wchar_t * lpstrCmdLine = 0x00391dae "-type webprocess -clientIdentifier 972", int nCmdShow = 0n10)+0x98 [c:\cygwin\home\buildbot\slave\win-release\build\source\webkit2\win\mainwin.cpp @ 67]
0029f808 7635ed6c WebKit2WebProcess!__tmainCRTStartup(void)+0x150 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589]
0029f814 7779377b kernel32!BaseThreadInitThunk+0xe
0029f854 7779374e ntdll!__RtlUserThreadStart+0x70
0029f86c 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> dv /v
@ecx            this = 0xc7d49551
0029dc6c            font = 0x7fb8ad94
0:000> r
eax=00000000 ebx=7f8a6784 ecx=c7d49551 edx=7ff4a200 esi=7f527910 edi=00000000
eip=5698c224 esp=0029dc5c ebp=0029dc64 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
WebKit!WebCore::FontFallbackList::determinePitch+0x14:
5698c224 8b17            mov     edx,dword ptr [edi]  ds:0023:00000000=????????
0:000> u
WebKit!WebCore::FontFallbackList::determinePitch+0x14 [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\platform\graphics\fontfallbacklist.cpp @ 79]:
5698c224 8b17            mov     edx,dword ptr [edi]
5698c226 8b4214          mov     eax,dword ptr [edx+14h]
5698c229 8bcf            mov     ecx,edi
5698c22b ffd0            call    eax
5698c22d 84c0            test    al,al
5698c22f 7508            jne     WebKit!WebCore::FontFallbackList::determinePitch+0x29 (5698c239)
5698c231 8a8f58040000    mov     cl,byte ptr [edi+458h]
5698c237 eb12            jmp     WebKit!WebCore::FontFallbackList::determinePitch+0x3b (5698c24b)
0:000> !load winext/msec.dll
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at WebKit!WebCore::FontFallbackList::determinePitch+0x0000000000000014 (Hash=0x375d5e0f.0x7a552526)

The data from the faulting address is later used as the target for a branch.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list