Confirmed, it crashed the entire browser not only the tab.

Gears also crashes on the url test:%

Confirmed, browser crashed with message "Whoa! Google Chrome has crashed. Restart
now?". Also does the same thing if you type :% into the URL. You do not need to press
enter afterwards either. As soon as I enter % it crashes.

Win 2k3 R2

Confirmed

Confirmed.

Confirmed.

Another confirmation.

Pasting about:%% and variations does not cause a crash.  

I am able to repro this as well. Here is the call stack:

ChildEBP RetAddr  
0012e398 015e0f01 chrome_1000000!PureCall+0x3
[c:\b\slave\chrome-official\build\src\chrome\app\chrome_main.cc @ 89]
0012e3b0 0100829c chrome_1000000!_invalid_parameter_noinfo+0xc
[f:\sp\vctools\crt_bld\self_x86\crt\src\invarg.c @ 99]
0012e3b8 012a5a82
chrome_1000000!std::basic_string<char,std::char_traits<char>,std::allocator<char>
>::operator[]+0xd
[c:\b\slave\chrome-official\build\src\third_party\platformsdk_vista_6_0\files\vc\include\xstring
@ 1564]
0012e3dc 012a5c8f chrome_1000000!`anonymous namespace'::UnescapeURLImpl+0x63
[c:\b\slave\chrome-official\build\src\net\base\escape.cc @ 146]
0012e43c 015581d4 chrome_1000000!UnescapeAndDecodeURLComponent+0x3c
[c:\b\slave\chrome-official\build\src\net\base\escape.cc @ 250]
0012e488 01558319 chrome_1000000!gfx::AppendFormattedComponent+0x32
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 372]
0012e510 015571f9 chrome_1000000!gfx::GetCleanStringFromUrl+0x108
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 420]
0012eb7c 0116f406 chrome_1000000!gfx::ElideUrl+0x5d
[c:\b\slave\chrome-official\build\src\chrome\common\gfx\url_elider.cc @ 298]
0012ebd4 011e7c60 chrome_1000000!AutocompleteProvider::StringForURLDisplay+0x71
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete.cc @ 411]
0012ed44 011e8a1d chrome_1000000!HistoryURLProvider::SuggestExactInput+0x133
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 256]
0012edc4 011e736f chrome_1000000!HistoryURLProvider::RunAutocompletePasses+0x5e
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 626]
0012edd4 0116fd69 chrome_1000000!HistoryURLProvider::Start+0x1c
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\history_url_provider.cc
@ 79]
0012ee90 0125432e chrome_1000000!AutocompleteController::Start+0x6b
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete.cc @ 593]
0012ef30 011df29d chrome_1000000!AutocompletePopup::StartAutocomplete+0xc3
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_popup.cc
@ 294]
0012ef80 011de74f chrome_1000000!AutocompleteEdit::UpdatePopup+0xd1
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 2056]
0012efe0 011ddfad chrome_1000000!AutocompleteEdit::OnAfterPossibleChange+0x1da
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 1704]
0012eff8 011db466 chrome_1000000!AutocompleteEdit::HandleKeystroke+0x4c
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.cc
@ 1401]
0012f028 011e017a chrome_1000000!AutocompleteEdit::ProcessWindowMessage+0x6a
[c:\b\slave\chrome-official\build\src\chrome\browser\autocomplete\autocomplete_edit.h
@ 302]
0012f078 7e418734
chrome_1000000!ATL::CWindowImplBaseT<WTL::CRichEditCtrlT<ATL::CWindow>,ATL::CWinTraits<1342177664,0>
>::WindowProc+0x42 [c:\program files\microsoft visual studio
8\vc\atlmfc\include\atlwin.h @ 3078]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f0a4 7e418816 USER32!GetDC+0x6d
0012f10c 7e41c63f USER32!GetDC+0x14f
0012f13c 7e41c665 USER32!IsWindowUnicode+0xa1
0012f15c 0156531a USER32!CallWindowProcW+0x1b
0012f218 7e418734 chrome_1000000!ChromeViews::FocusWindowCallback+0x112
[c:\b\slave\chrome-official\build\src\chrome\views\focus_manager.cc @ 212]
0012f244 7e418816 USER32!GetDC+0x6d
0012f2ac 7e4189cd USER32!GetDC+0x14f
0012f30c 7e418a10 USER32!GetWindowLongW+0x127
0012f31c 015628ff USER32!DispatchMessageW+0xf
0012f334 010092b2 chrome_1000000!ChromeViews::AcceleratorHandler::Dispatch+0x4a
[c:\b\slave\chrome-official\build\src\chrome\views\accelerator_handler.cc @ 58]
0012f34c 01008aab chrome_1000000!MessageLoop::ProcessMessageHelper+0x61
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 459]
0012f384 010089fc chrome_1000000!MessageLoop::RunTraditional+0x2b
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 242]
0012f438 01008938 chrome_1000000!MessageLoop::RunInternal+0xbc
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 228]
0012f478 0112f096 chrome_1000000!MessageLoop::RunHandler+0x5a
[c:\b\slave\chrome-official\build\src\base\message_loop.cc @ 198]
0012f5dc 0100373d chrome_1000000!BrowserMain+0xb08
[c:\b\slave\chrome-official\build\src\chrome\browser\browser_main.cc @ 503]
0012f84c 00402837 chrome_1000000!ChromeMain+0x618
[c:\b\slave\chrome-official\build\src\chrome\app\chrome_main.cc @ 280]
0012fc84 00402bdb chrome!google_update::GoogleUpdateClient::Launch+0x11a
[c:\b\slave\chrome-official\build\src\chrome\app\google_update_client.cc @ 197]
0012ff28 00422981 chrome!wWinMain+0x158
[c:\b\slave\chrome-official\build\src\chrome\app\main.cc @ 96]
0012ffc0 7c816fd7 chrome!__tmainCRTStartup+0x176
[f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324]
0012fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49

(No comment was entered for this change.)

(a50.62c): Break instruction exception - code 80000003 (!!! second chance !!!)
eax=01002ff0 ebx=0012e450 ecx=01002ff0 edx=7c90e4f4 esi=0012e450 edi=00000002
eip=01002ff3 esp=0012e398 ebp=0012e398 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00000206chrome_1000000+0x2ff3:
01002ff3 cc              int     3

disassembly

01002ff0 55              push    ebp
01002ff1 8bec            mov     ebp,esp
01002ff3 cc              int     3
01002ff4 5d              pop     ebp
01002ff5 c3              ret

looks like some debug assert

Unescaping has an out of bounds issue

    if (escaped_text[i] == '%' && i < max_digit_index) {
      const std::string::value_type most_sig_digit(escaped_text[i + 1]); <-- bang!
      const std::string::value_type least_sig_digit(escaped_text[i + 2]);

i+ 1 = 1 and the string is just "%"

Actually I am seeing a bunch of issues here.

(No comment was entered for this change.)

This is a reproducible crash, but doesn't look exploitable.

If you create a hyperlink using about:% the browser crashes on mouse hover.

(No comment was entered for this change.)

http://codereview.chromium.org/408

Removing security label, this is an unfortunate browser crash, but it shouldn't be 
exploitable beyond an annoyance.

Actually, this is the problem code:

  for (size_t i = 0, max = escaped_text.size(), max_digit_index = max - 2;
       i < max; ++i) {
    if (escaped_text[i] == '%' && i < max_digit_index) {

max_digit_index underflows, causing the 'i < max_digit_index' test to be true when it 
shouldn't.

  for (size_t i = 0, max = escaped_text.size(), max_digit_index = (max > 1 ? max - 2 
: 0);
       i < max; ++i) {
    if (escaped_text[i] == '%' && i < max_digit_index) {

Would work as far as I can see.

Having about:% in your clipboard and right-clicking the address bar will also cause Chrome to crash.

I can reproduce this.  It also makes chrome crash if you type "anything:%" so there's
definitely something wrong.

Confirmed.

reproduced on two differents laptops

Only happens when % is the first character after : which means about: % works just 
fine.

Confirmed too.

Date: Wed Sep  3 09:05:52 2008
New Revision: 1677

Log:
Fix an out of band read when parsing a URL component of just "%".  The calculation of 
max_digit_index is unsigned, and was underflowing when max was less than 2.

BUG=122

Modified:
  trunk/src/net/base/escape.cc
  trunk/src/net/base/escape_unittest.cc

I find it interesting that this takes down the whole browser if the whole premise of 
having a separate process for each tab is that a misbehaving tab wouldn't crash the 
whole application.

Can anyone explain why this is? Can it be more robust?

Confirmed, you can simply type :% and chrome crashes.

@togniolli: Good question, I'm interested to know about this as well!

"Time" can definitely plays a major role.  There was a collision that occurred due to
the fact that I took time to find the real break point in the code, search for a
template and to publish at EvilFingers site before sending it to Google and other
bugtraqs. 
Even though I had the vulnerability 4 hrs well before the real publication of the bug
and had the exploit along with the some crash details like "int 3" Kernel
Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp and
further debug logs; there was this bug published (though without the details of
possible cases, exceptions and mouse hover techniques) couple of hours before I
released it out at EvilFingers.
So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the
bug on http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr.
Brennan for contacting me about the same.

Confirmed.

Chrome: browser crash... go boom!
Firefox 3.0.1: no crash
IE: no crash

I can confirm this on windows xp sp3
Official Build 1583
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like 
Gecko) Chrome/0.2.149.27 Safari/525.13

but it simply crashes and does not even show any "whoa!"

At line 153 in url_utils.cc
http://code.google.com/p/gears/source/browse/trunk/gears/base/common/url_utils.cc

It looks this file has the same error.

Confirm.

I can confirm that by setting this as my home page URL and closing Chrome I have made
the application completely unusable.

Why did I do that.

Confirm.

Guys please stop confirming this. A fix is already committed.

msuiche: Thanks for noticing the other occurrence of this. I've alerted the gears 
folks.

Confirmed.

Confirmed.

Confirmed.

All other Explorer survived and did not crash link Chrome..
Firefox and IE7 gave bad URL error ..

I think we all now know that this bug is real and that other browsers don't have it.

The status has been already updated by the chrome-team ***and is obviously fixed***
in the current development SVN-version.

Please no more "Confirmed" messages, it messes up my e-mail account because I want to
get the real status updates.

Isn't there a way to close this thread, so people can't confirm it anymore?

CONFIRMED

Verified in build 0.2.149.28, bug has been fixed.

Answering the question made by togniolli on comment 26, the whole browser crashes 
because URL parsing is shared by the 'rendering engine' and 'browser kernel'. 

You can confirm that on the following document:
The Security Architecture of Chromium  
Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team
Technical Report
The document is available here: http://crypto.stanford.edu/websec/chromium/

The information i mentioned can be found on page 4. 

I think that any issues related to url parsing and unicode parsing can cause a 
browser crash like this one.

I make several test a protocol handler level, and this issue affects multiple 
protocols:

data:%
disks:no
news:%
snews:%
ms:%
nntp: not afected.
mailto:%
radio:
vdm:%
javascript:%
vbscript:%

but this is not needed the protocol handler if we put in the url :% this crash the 
browser, and it´s non probable that any can be found a vector to attack protocols 
handlers , because it does not are in protocol level.

(No comment was entered for this change.)

Doesn't crashes! no one of the regular browsers, FFOX 3.0, IE7 and Even Chrome

I could not find any problem when I typed about:% in the URL bar...

@sarangan12
that is because the issue has been fixed and pushed to users, so if your about:version shows 149.29 you are not 
affected anymore.

I just typed «:%» into the address bar of an empty tab, and the browser immediately 
crashed, but restarted automatically, and all tabs save the offending one could be 
restored. This in the CrossOver Chromium version of the browser, running on 64-bit 
Ubuntu Hardy....

Henri

Typing «:%» into the address bar resolved to: "http://xn--iba/ ???

Vista, 32 bit, Official Build 1798

problem in orkut....send to all script not working...in chrome.....

 Issue 1108  has been merged into this issue.