Bug 160470 (CVE-2016-4768)

Summary: ZDI-CAN-3852: Apple Safari HTMLVideoElement Use-After-Free Remote Code Execution Vulnerability
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: MediaAssignee: Eric Carlson <eric.carlson>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, darin, eric.carlson, jonlee, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Proposed patch.
ddkilzer: review+
Updated Patch. bfulgham: review+

David Kilzer (:ddkilzer)
Reported 2016-08-02 15:13:35 PDT
ZDI-CAN-3852: Apple Safari HTMLVideoElement Use-After-Free Remote Code Execution Vulnerability
Attachments
Proposed patch. (8.09 KB, patch)
2016-08-02 15:44 PDT, Eric Carlson 		ddkilzer: review+
DetailsFormatted DiffDiff
Updated Patch. (1.81 KB, patch)
2016-08-03 08:09 PDT, Eric Carlson 		bfulgham: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2016-08-02 15:13:44 PDT
<rdar://problem/27313234>
Eric Carlson
Comment 2 2016-08-02 15:44:38 PDT
Created attachment 285151 [details] Proposed patch.
David Kilzer (:ddkilzer)
Comment 3 2016-08-02 15:51:19 PDT
Comment on attachment 285151 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=285151&action=review r=me > Source/WebCore/html/track/AudioTrack.cpp:170 > + ASSERT(element()); Did you mean to do this instead? Maybe it doesn't matter. ASSERT(mediaElement()); > LayoutTests/ChangeLog:4 > + Need a short description (OOPS!). > + Need the bug URL (OOPS!). Oops! Copy and paste title and URL from Source/WebCore/ChangeLog.
Eric Carlson
Comment 4 2016-08-02 15:57:37 PDT
Comment on attachment 285151 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=285151&action=review >> Source/WebCore/html/track/AudioTrack.cpp:170 >> + ASSERT(element()); > > Did you mean to do this instead? Maybe it doesn't matter. > > ASSERT(mediaElement()); They are functionally equivalent, but your suggestion is semantically correct. Fixed. >> LayoutTests/ChangeLog:4 >> + Need the bug URL (OOPS!). > > Oops! Copy and paste title and URL from Source/WebCore/ChangeLog. OOPS! Fixed.
Eric Carlson
Comment 5 2016-08-02 16:05:35 PDT
Committed r204050: https://trac.webkit.org/r204050
Darin Adler
Comment 6 2016-08-02 19:32:07 PDT
There is a mistake in this patch. The call to clearElement in TrackListBase::~TrackListBase will not call TextTrackList::clearElement, because as part of the destruction process we have already turned the TextTrackList into a TrackListBase.
Darin Adler
Comment 7 2016-08-02 19:34:34 PDT
Comment on attachment 285151 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=285151&action=review > Source/WebCore/html/track/AudioTrack.cpp:172 > + if (mediaElement()) > + mediaElement()->removeAudioTrack(*this); I do not understand why we are adding this null check as part of this patch. I don’t see the relevance. If the media element can be null, then the assertion is incorrect. If it can’t, then it seems peculiar to add the code as part of this security fix that we would like to keep as simple and minimal as possible. > Source/WebCore/html/track/TrackListBase.cpp:49 > + clearElement(); This will not call TextTrackList::clearElement. We will have to do something in ~TextTrackList if we want to be sure that code runs when destroying the text track list because by the time this destructor is called, the virtual table will be the one from TrackListBase.
Eric Carlson
Comment 8 2016-08-03 08:09:11 PDT
Comment on attachment 285151 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=285151&action=review >> Source/WebCore/html/track/AudioTrack.cpp:172 >> + mediaElement()->removeAudioTrack(*this); > > I do not understand why we are adding this null check as part of this patch. I don’t see the relevance. > > If the media element can be null, then the assertion is incorrect. If it can’t, then it seems peculiar to add the code as part of this security fix that we would like to keep as simple and minimal as possible. Agreed, it isn't necessary. >> Source/WebCore/html/track/TrackListBase.cpp:49 >> + clearElement(); > > This will not call TextTrackList::clearElement. We will have to do something in ~TextTrackList if we want to be sure that code runs when destroying the text track list because by the time this destructor is called, the virtual table will be the one from TrackListBase. Fixed.
Eric Carlson
Comment 9 2016-08-03 08:09:25 PDT
Created attachment 285231 [details] Updated Patch. Add
Brent Fulgham
Comment 10 2016-08-03 11:11:03 PDT
Comment on attachment 285231 [details] Updated Patch. Looks good! r=me.
Eric Carlson
Comment 11 2016-08-03 11:19:42 PDT
Committed r204089: https://trac.webkit.org/r204089
Note You need to log in before you can comment on or make changes to this bug.