| Issue 40487: | <video> inside <foreignObject> inside <svg> inside <img> --> crash | |
| 1 person starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
data:text/html;charset=utf-8,<img src="http://home.comcast.net/ ~davidbloom120/video3.svg"> You probably never expected to see a <video> inside an <img>, did you? :-) Crashes Chrome 5.0.366.2 on Linux, and 4.1.249.1045 on Windows XP.
,
Apr 5, 2010
bug confirmed. i see a tab crash (aw! snap). looking into this. affects v4.1 stable too.
,
Apr 5, 2010
Yeah, crashes on trunk too. At first glance it looks like we're not checking for a NULL client returned from WebFrameImpl::fromFrame() in WebKit::createWebMediaPlayer().
,
Apr 5, 2010
null pointer check not happening properly in
d:\chromium\src\third_party\WebKit\WebKit\chromium\src\WebMediaPlayerClientImpl.cpp.
static WebMediaPlayer* createWebMediaPlayer(
WebMediaPlayerClient* client, Frame* frame)
,
Apr 5, 2010
Me and Justin jumped on this at the same time. race condition. let me break the deadlock to assigning this to Justin :)
Status: Assigned
Owner: jsc...@chromium.org Cc: -jsc...@chromium.org
,
Apr 5, 2010
Hmm. Yeah, my guess was that the weird context would result in some object missing and a NULL. So glad it's not too serious. We could just fix the NULL, of course. But the whole foreignObject thing scares me when an <svg> is an <img> tag. Can we just close it off for the <img> context?
,
Apr 6, 2010
This is an easy fix, but it's relatively minor and I want to get bug 39985 wrapped before I start mucking with my WebKit build. So, I'm going to punt this out a bit.
Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit Mstone-5-b3 SecSeverity-Low
,
Apr 6, 2010
Unfortunately, it turns out that running the below repro 20 times results in a number of crashes, some of which exploitable: Repro: <IFRAME src='data:text/html;charset=utf-8,<img src="http://home.comcast.net/~davidbloom120/video3.svg">'></IFRAME> Crashes: 8 * WebKit::WebMediaPlayerClientImpl::load ReadAV@NULL (c2139f3c521c543943009e2a100ba6d7) Attempt to read from NULL pointer (+0xC0) in WebKit::WebMediaPlayerClientImpl::load 1 * WebKit::WebMediaPlayerClientImpl::load ReadAV@Arbitrary (c2139f3c521c543943009e2a100ba6d7) Security: Attempt to read from arbitrary memory @ 0x2DD6831F in WebKit::WebMediaPlayerClientImpl::load 11 * WebKit::WebMediaPlayerClientImpl::load ExecAV@Arbitrary (8e9c3a357206b76fe779a8d96954345c) Security: Attempt to execute non-executable arbitrary memory @ 0x56097401 in WebKit::WebMediaPlayerClientImpl::load Details are attached.
Labels: -Pri-2 -SecSeverity-Low Pri-0 SecSeverity-High
,
Apr 8, 2010
The problem is a bad cast in WebFrameImpl::fromFrame(). The m_frame->m_loader-
>m_client member variable points to an EmptyFrameLoaderClient. However, in the below
code it's being cast to a FrameLoaderClientImpl:
if (!frame)
return 0;
return static_cast<FrameLoaderClientImpl*>(frame->loader()->client())-
>webFrame();
I'm not sure how to determine what type the returned FrameLoaderClient is, but once I
work that out it should be roughly a two-line fix.
Marking M5 since it's a code execution bug.
Labels: -Pri-0 -Mstone-5-b3 Pri-1 Mstone-5
,
Apr 9, 2010
Eric, after some discussion with Adam it looks like the best solution here is to disable media elements for an svg used as an image src. Is this something you could knock out quickly, or any background you can give that would save me some time fixing it?
Cc: esei...@chromium.org
,
Apr 9, 2010
Is that the right fix? Images (svg:image or html:img) within SVG do resource loading too. Why don't they trip over the same code path and do the bad cast on the fake loader?
,
Apr 9, 2010
I don't have the call stack in front of me right now, but the problem seems to be that the media player context hands back a frame when no frame should exist. Images don't appear to have that problem. Also, logically a media stream shouldn't be rendering inside a static image. At least, that's my take.
,
Apr 9, 2010
gif images aren't static, so I see no problem with a media stream being rendered in an image (unless this causes a crash :D). The files in comment 8 contain stacks for the 3 crashes I saw, maybe they can help?
,
Apr 9, 2010
My personal preference would be to disable audio for content within an <img>. I think that would line up best with web developer expectations for what an <img> can do and what it can't.
,
Apr 9, 2010
Forgot to point to the upstream bug: https://bugs.webkit.org/show_bug.cgi?id=37331
,
Apr 9, 2010
@skylined - I always viewed animated gifs as violating the intent of the Image element. But I'm probably just too pedantic on this. However, I agree that we definitely don't want audio playing in this case, even if the decision is to allow video.
,
Apr 9, 2010
A couple of questions come to mind: 1) Since HTML can be embedded in SVG and vice-versa, you'd have to block everything that can create sounds - is that practical? 2) Can you inject script this way? 3) How do we handle plugins such as flash when embedded in HTML in SVG in an IMG tag? How deep does this rabbit hole go?
,
Apr 9, 2010
@skylined - I'm not sure this is the bug for these questions since SVG img elements have been supported for a while. However, as I understand it the answers are: 1) This should be resolved by whatever context is passed down in the fake frame created for the SVG in the image element. 2) No. 3) No plugins.
,
Apr 9, 2010
@skylined, #17 2) No, it should be taken care of. 3) Plugins are disabled.
,
Apr 9, 2010
Not a very deep rabbit hole then :). I've added embedded SVG to my HTML generator and embedded HTML to my SVG generator - hopefully my fuzzers will find out if there are more such bugs.
,
Apr 13, 2010
So, we currently don't support any form of animation in an SVG used as an image source. The startAnimation(), stopAnimation() and resetAnimation() methods aren't implemented on SVGImage, and frameAtIndex() returns NULL. (FWIW, Opera--the only other browser handling inline SVG images--doesn't appear to support animation either.) So, killing video entirely in an SVG image seems like the best approach. I'm just trying to figure out exactly how to do it best. Eric, any assistance you can provide would be extremely helpful.
,
Apr 13, 2010
data:text/html;charset=utf-8,<img src="http://brian.sol1.net/svg/tests/frozen-to- animation.svg"> It looks like you still support SMIL animations inside <IMG>
,
Apr 13, 2010
Weird. I looked at GIF animations, which do not work inside an SVG img element. SMIL must generate the animation in a different way than images do. Anyway, the best thing still seems to be disabling HTMLMediaElement inside an SVGImage. The HTMLMediaElement doesn't seem to follow normal loading mechanisms, and I don't see how it can reasonably be hooked into the dummy contexts created for an SVGImage. It's entirely possible I'm wrong, and I'd much rather someone more familiar with this code take a look. However, that's my take so far.
,
Apr 15, 2010
I have a WebKit patch up for review that safely disables HTMLMedia in SVGImage. Assuming that gets in, I'll file a feature request to make HTMLMedia and animated GIFs work. Once the important code is actually written, it would be a one-line change in SVGImage to turn it on.
,
Apr 20, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=45141
------------------------------------------------------------------------
r45141 | jschuh@chromium.org | 2010-04-20 18:27:09 -0700 (Tue, 20 Apr 2010) | 17 lines
Changed paths:
A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/media/svg-as-image-with-media-blocked-expected.txt
A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/media/svg-as-image-with-media-blocked.html
M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/dom/make_names.pl?r1=45141&r2=45140
M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/page/Settings.cpp?r1=45141&r2=45140
M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/page/Settings.h?r1=45141&r2=45140
M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/svg/graphics/SVGImage.cpp?r1=45141&r2=45140
Merge 57922 - 20100420 Justin Schuh <jschuh@chromium.org>
Reviewed by Adam Barth.
Invalid cast due to <video> inside <foreignObject> inside <svg> inside <img>
https://bugs.webkit.org/show_bug.cgi?id=37331
Added a setting to enable/disable media perpage and have the SVGImage
disable media for its dummy page. Also found and fixed a related bad
cast in the V8 bindings (JSC had a custom wrapper for this already).
Tests: media/svgasimagewithmediablocked.html
BUG=40487
TBR=japhet@chromium.org
Review URL: http://codereview.chromium.org/1696004
------------------------------------------------------------------------
,
Apr 20, 2010
Fixed on WebKit trunk: http://trac.webkit.org/changeset/57922 Merged to 249 stable: http://src.chromium.org/viewvc/chrome?view=rev&revision=45130 Merged to 375 branch: http://src.chromium.org/viewvc/chrome?view=rev&revision=45141 Keeping unreleased since we can't 0-day WebKit.
,
Apr 20, 2010
(No comment was entered for this change.)
Status: FixUnreleased
,
May 18, 2010
Was fixed in 4.1.249.1064 Releasing contrary to #c26 because the bad cast triggered here is specific to code in the Chromium bindings.
Status: Fixed
Labels: -Restrict-View-SecurityTeam
,
Mar 21, 2011
(No comment was entered for this change.)
Labels: Type-Security
,
Oct 4, 2011
Batch update.
Labels: SecImpacts-Stable
|
||||||||||||||||
| ► Sign in to add a comment | |||||||||||||||||
![http://home.comcast.net/~davidbloom120/video3.svg">'></IFRAME>](http://home.comcast.net/~davidbloom120/video3.svg">'></IFRAME>){kind=link}
Cc: infe...@chromium.org jsc...@chromium.org