My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 50403: cross_fuzz: overwriting object.toString can cause NULL pointers when using the object as an argument to a WebKit method
5 people starred this issue and may be notified of changes. Back to list
Status:  Available
Owner:  ----
Cc:  jsc...@chromium.org, jap...@chromium.org

Blocking:
issue 50071


Sign in to add a comment
 
Reported by skylined@chromium.org, Jul 27, 2010
Repro:
<script>
  var anyConstructor = Object.constructor; // any constrctor seems to work
  anyConstructor.toString = "";
  var emptyTextNode = document.createTextNode();
  emptyTextNode.replaceData(window, anyConstructor, window);
</script>
This code triggers a NULL pointer crash. I've not investigated further.

details.html
242 KB   View   Download
repro.html
236 bytes   View   Download
Jul 31, 2010
#1 skylined@chromium.org
 Issue 50555  has been merged into this issue.
Jul 31, 2010
#2 skylined@chromium.org
 Issue 50555  shows that there are multiple ways to trigger similar bugs in various parts of the code. I expect they all have the same root cause, so I am combining them into one bug.
Jul 31, 2010
#3 skylined@chromium.org
(No comment was entered for this change.)
Summary: cross_fuzz: overwriting object.toString can cause NULL pointers when using the object as an argument to a WebKit method
Oct 25, 2010
#4 skylined@chromium.org
 Issue 59556  has been merged into this issue.
Dec 1, 2010
#5 skylined@chromium.org
This is crashing in chrome.dll!WebCore::v8ValueToWebCoreString, shuold this be upstreamed to WebKit or v8?
Dec 3, 2010
#6 skylined@chromium.org
List of crashes with this root cause found so far:
chrome.dll!WebCore..v8StringToWebCoreString... ReadAV@NULL (a18372102121071f716f12b7abfb391d)
chrome.dll!WebCore..v8ValueToWebCoreString ReadAV@NULL (2e0fb650704e2eca442da015f1178771)
chrome.dll!WebCore..v8ValueToWebCoreString ReadAV@NULL (4200cb346588bc141dcc8ee223d7b080)
chrome.dll!WebCore..v8ValueToWebCoreString ReadAV@NULL (84f78d60f350884ce5d8c1f58b0156ae)
chrome.dll!WebCore..v8ValueToWebCoreString ReadAV@NULL (8cc27a26ab19aae5b77c30ea3d8ac750)
chrome.dll!WebCore..v8ValueToWebCoreString ReadAV@NULL (c464e561a51d08638016d4e835d69bc2)
extensions_v8..ExternalExtensionWrapper..AddSearchProvider ReadAV@NULL (0c670488345c55f538396b88831c911b)
Feb 1, 2011
#7 skylined@chromium.org
Collecting variations:
<script>
  ({}).constructor.prototype.toString=0;
  document.head.children({});
</script>

chrome.dll!v8::Value::QuickIsString ReadAV@NULL (a2e2cfc62ecf69ee5a03f26dc0777fec)
repro - chrome.dll!v8ValueQuickIsString ReadAV@NULL (a2e2cfc62ecf69ee5a03f26dc0777fec).html
90 bytes   View   Download
Feb 7, 2011
#8 skylined@chromium.org
 Issue 72074  has been merged into this issue.
Cc: jsc...@chromium.org jap...@chromium.org
Mar 10, 2013
#10 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -WebKit-JavaScript Cr-Content-JavaScript Cr-Content
Blocking: -chromium:50071 chromium:50071
Apr 5, 2013
#11 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Apr 5, 2013
#12 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Sign in to add a comment

Powered by Google Project Hosting