108709 2013-02-01 15:27:01 -0800 SVG DOM manipulation crash 2013-02-12 07:48:15 -0800 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 cdn schenney commit-queue fmalita inferno krit pdr schenney webkit.review.bot zimmermann oldest_to_newest 823346 0 186162 cdn 2013-02-01 15:27:01 -0800 Created attachment 186162 repro Originally filed by matthew@dempsky.org at https://crbug.com/171363 Chrome Version: 25.0.1364.36 Operating System: Ubuntu 10.04 URL (if applicable) where crash occurred: http://shinobi.dempsky.org/~matthew/misc/chrome-svg-crash.html Can you reproduce this crash? Yes, 100% reliable. What steps will reproduce this crash? (or if it's not reproducible, what were you doing just before the crash)? 1. Navigate to http://shinobi.dempsky.org/~matthew/misc/chrome-svg-crash.html 2. Click the left orange square. 3. Crash. The bug exists when there are multiple event handlers on a node in an SVG use tree and the first handler causes the tree to be rebuilt. The target of the event remains the now removed node from the original use tree. I am not certain that this is a security issue, but I suspect it is due to a heap-use-after-free scenario. Maybe the ref-counting on the target is enough to avoid the heap-use-after-free. It is NOT a security bug in the example because it is a Chrome mouse event handler that is second to be invoked, and Chrome cannot access a WebNode for the deleted node (it's null). 830246 1 187703 schenney 2013-02-11 15:47:01 -0800 Created attachment 187703 Patch 830312 2 187703 webkit.review.bot 2013-02-11 16:38:23 -0800 Comment on attachment 187703 Patch Clearing flags on attachment: 187703 Committed r142548: <http://trac.webkit.org/changeset/142548> 830313 3 webkit.review.bot 2013-02-11 16:38:26 -0800 All reviewed patches have been landed. Closing bug. 186162 2013-02-01 15:27:01 -0800 2013-02-01 15:27:01 -0800 repro url.txt text/plain 62 cdn aHR0cDovL3NoaW5vYmkuZGVtcHNreS5vcmcvfm1hdHRoZXcvbWlzYy9jaHJvbWUtc3ZnLWNyYXNo Lmh0bWw= 187703 2013-02-11 15:47:01 -0800 2013-02-11 16:38:23 -0800 Patch bug-108709-20130211184332.patch text/plain 2921 schenney SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDE0MjUzMikKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29y a2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBACisyMDEzLTAyLTExICBTdGVwaGVuIENoZW5uZXkg IDxzY2hlbm5leUBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgU1ZHIERPTSBtYW5pcHVsYXRpb24g Y3Jhc2gKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEw ODcwOQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFk ZGluZyBhIHRlc3QgZm9yIHRoZSBjYXNlIHdoZXJlIGFuIFNWRyA8dXNlPiB0cmVlIGlzIHJlYnVp bGQgZHVlIHRvCisgICAgICAgIG9uZSBldmVudCBsaXN0ZW5lciBhbmQgYSBzdWJzZXF1ZW50IGxp c3RlbmVyIHRyaWVzIHRvIGFjY2VzcyBpdC4gVGhpcworICAgICAgICBkb2VzIG5vdCBjcmFzaCBp biBXZWJLaXQgYnV0IGhhcyBjYXVzZWQgcHJvYmxlbXMgaW4gYnJvd3NlciBjb2RlIHdoZXJlCisg ICAgICAgIHRoZSBsaXN0ZW5lciB0cmllcyB0byBhY2Nlc3MgYW5kIHVzZSB0b05vZGUgb24gdGhl IHRhcmdldCBvZiB0aGUKKyAgICAgICAgZXZlbnQuIFRoZSB0ZXN0IHByZXZlbnRzIHJlZ3Jlc3Np b25zIGFuZCBnaXZlcyBhdXRvbWF0ZWQgc2VjdXJpdHkKKyAgICAgICAgdGVzdHMgc29tZXRoaW5n IHRvIHdvcmsgb24uCisKKyAgICAgICAgKiBzdmcvY3VzdG9tL3VzZS1saXN0ZW5lci1hcHBlbmQt Y3Jhc2gtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBzdmcvY3VzdG9tL3VzZS1saXN0 ZW5lci1hcHBlbmQtY3Jhc2guaHRtbDogQWRkZWQuCisKIDIwMTMtMDItMTEgIFJhZmFlbCBXZWlu c3RlaW4gIDxyYWZhZWx3QGNocm9taXVtLm9yZz4KIAogICAgICAgICBbSFRNTFRlbXBsYXRlRWxl bWVudF0gPHRlbXBsYXRlPiBpbnNpZGUgb2YgPGhlYWQ+IG1heSBub3QgY3JlYXRlIDxib2R5PiBp ZiBFT0YgaXMgaGl0CkluZGV4OiBMYXlvdXRUZXN0cy9zdmcvY3VzdG9tL3VzZS1saXN0ZW5lci1h cHBlbmQtY3Jhc2gtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL3N2Zy9j dXN0b20vdXNlLWxpc3RlbmVyLWFwcGVuZC1jcmFzaC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDAp CisrKyBMYXlvdXRUZXN0cy9zdmcvY3VzdG9tL3VzZS1saXN0ZW5lci1hcHBlbmQtY3Jhc2gtZXhw ZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxIEBACitUZXN0IHJlLWFwcGVuZGluZyBh IHVzZSBub2RlIHdpdGggbXVsdGlwbGUgZXZlbnQgbGlzdGVuZXJzLCB0cmlnZ2VyZWQgYnkgdGhl IGZpcnN0IGxpc3RlbmVyLiBJZiBydW5uaW5nIG1hbnVhbGx5LCBjbGljayBvbiB0aGUgbGVmdCBz cXVhcmUuIFBhc3MgaWYgbm8gY3Jhc2ggYW5kIHRoZSB2aXNpYmxlIHJlc3VsdCBpcyBhbiBvcmFu Z2Ugc3F1YXJlIGxlZnQgb2YgYSBncmVlbiBzcXVhcmUuCkluZGV4OiBMYXlvdXRUZXN0cy9zdmcv Y3VzdG9tL3VzZS1saXN0ZW5lci1hcHBlbmQtY3Jhc2guaHRtbAo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlv dXRUZXN0cy9zdmcvY3VzdG9tL3VzZS1saXN0ZW5lci1hcHBlbmQtY3Jhc2guaHRtbAkocmV2aXNp b24gMCkKKysrIExheW91dFRlc3RzL3N2Zy9jdXN0b20vdXNlLWxpc3RlbmVyLWFwcGVuZC1jcmFz aC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDI4IEBACis8IURPQ1RZUEUgaHRtbD4KKzxo dG1sPgorPHN2ZyB3aWR0aD04MCBoZWlnaHQ9NDA+CisgIDxkZWZzPgorICAgIDxyZWN0IGlkPSJz cXVhcmUiIHg9NCB5PTQgd2lkdGg9MzIgaGVpZ2h0PTMyIGZpbGw9b3JhbmdlPjwvcmVjdD4KKyAg PC9kZWZzPgorCisgIDx1c2UgaWQ9ImxlZnRTcXVhcmUiIHhsaW5rOmhyZWY9IiNzcXVhcmUiPjwv dXNlPgorICA8dXNlIHhsaW5rOmhyZWY9IiNzcXVhcmUiIHg9NDA+PC91c2U+Cis8L3N2Zz4KKwor PHNjcmlwdD4KKyAgCWlmICh3aW5kb3cudGVzdFJ1bm5lcikKKyAgICAgICAgdGVzdFJ1bm5lci5k dW1wQXNUZXh0KCk7CisKKyAgICBsZWZ0U3F1YXJlLmFkZEV2ZW50TGlzdGVuZXIoJ21vdXNlZG93 bicsIGZ1bmN0aW9uKCkgeyBsZWZ0U3F1YXJlLnBhcmVudE5vZGUuYXBwZW5kQ2hpbGQobGVmdFNx dWFyZSk7IH0pOworICAgIGxlZnRTcXVhcmUuYWRkRXZlbnRMaXN0ZW5lcignbW91c2Vkb3duJywg ZnVuY3Rpb24oKSB7IGxlZnRTcXVhcmUuaW5zdGFuY2VSb290LmNvcnJlc3BvbmRpbmdFbGVtZW50 LnNldEF0dHJpYnV0ZSgiZmlsbCIsICJncmVlbiIpOyB9KTsKKworICAgIGlmICh3aW5kb3cuZXZl bnRTZW5kZXIpIHsKKyAgICAgICAgZXZlbnRTZW5kZXIubW91c2VNb3ZlVG8oMjAsIDIwKTsKKyAg ICAgICAgZXZlbnRTZW5kZXIubW91c2VEb3duKCk7CisgICAgICAgIGV2ZW50U2VuZGVyLm1vdXNl VXAoKTsKKyAgICB9Cis8L3NjcmlwdD4KKzxwPlRlc3QgcmUtYXBwZW5kaW5nIGEgdXNlIG5vZGUg d2l0aCBtdWx0aXBsZSBldmVudCBsaXN0ZW5lcnMsIHRyaWdnZXJlZCBieSB0aGUgZmlyc3QgbGlz dGVuZXIuCisgIElmIHJ1bm5pbmcgbWFudWFsbHksIGNsaWNrIG9uIHRoZSBsZWZ0IHNxdWFyZS4K KyAgUGFzcyBpZiBubyBjcmFzaCBhbmQgdGhlIHZpc2libGUgcmVzdWx0IGlzIGFuIG9yYW5nZSBz cXVhcmUgbGVmdCBvZiBhIGdyZWVuIHNxdWFyZS48L3A+Cis8L2h0bWw+ClwgTm8gbmV3bGluZSBh dCBlbmQgb2YgZmlsZQo=