Bug 108709 - SVG DOM manipulation crash
Summary: SVG DOM manipulation crash
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Stephen Chenney
Depends on:
Reported: 2013-02-01 15:27 PST by Cris Neckar
Modified: 2013-02-12 07:48 PST (History)
8 users (show)

See Also:

repro (62 bytes, text/plain)
2013-02-01 15:27 PST, Cris Neckar
no flags Details
Patch (2.85 KB, patch)
2013-02-11 15:47 PST, Stephen Chenney
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cris Neckar 2013-02-01 15:27:01 PST
Created attachment 186162 [details]

Originally filed by matthew@dempsky.org at https://crbug.com/171363

Chrome Version: 25.0.1364.36
Operating System: Ubuntu 10.04

URL (if applicable) where crash occurred: http://shinobi.dempsky.org/~matthew/misc/chrome-svg-crash.html

Can you reproduce this crash? Yes, 100% reliable.

What steps will reproduce this crash? (or if it's not reproducible, what were you doing just before the crash)?

1. Navigate to http://shinobi.dempsky.org/~matthew/misc/chrome-svg-crash.html
2. Click the left orange square.
3. Crash.

The bug exists when there are multiple event handlers on a node in an SVG use tree and the first handler causes the tree to be rebuilt. The target of the event remains the now removed node from the original use tree. I am not certain that this is a security issue, but I suspect it is due to a heap-use-after-free scenario. Maybe the ref-counting on the target is enough to avoid the heap-use-after-free.

It is NOT a security bug in the example because it is a Chrome mouse event handler that is second to be invoked, and Chrome cannot access a WebNode for the deleted node (it's null).
Comment 1 Stephen Chenney 2013-02-11 15:47:01 PST
Created attachment 187703 [details]
Comment 2 WebKit Review Bot 2013-02-11 16:38:23 PST
Comment on attachment 187703 [details]

Clearing flags on attachment: 187703

Committed r142548: <http://trac.webkit.org/changeset/142548>
Comment 3 WebKit Review Bot 2013-02-11 16:38:26 PST
All reviewed patches have been landed.  Closing bug.