My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 70165: Use after free in speech API
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  satish@chromium.org
Closed:  Jan 2011
Cc:  bul...@chromium.org

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by serg.gla...@gmail.com, Jan 19, 2011
VULNERABILITY DETAILS
This is a logical extension of  issue 68666 . The new reproduction case crashes a renderer process in order to make a corresponding delegate pointer stale in a browser process.

VERSION
Chrome Version: 10.0.644.0 (71787)
Operating System: OS X & Windows
repro.html
621 bytes   View   Download
crash_details.txt
2.6 KB   View   Download
Jan 19, 2011
#1 infe...@chromium.org
Satish, can you please take a look.
Status: Assigned
Owner: sat...@chromium.org
Jan 20, 2011
#2 satish@chromium.org
(No comment was entered for this change.)
Cc: bul...@chromium.org
Jan 20, 2011
#4 infe...@chromium.org
Thanks a lot Satish for the awesome turnaround time.

Chris - Justin told me that speech is now moved to m11. i am adding this bug alongwith the other speech fixes in m10 release notes. Please feel free to move all those to m11 when you get time.
Status: FixUnreleased
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-Critical Mstone-11 OS-All
Jan 29, 2011
#5 jsc...@chromium.org
(No comment was entered for this change.)
Labels: reward-topanel
Feb 1, 2011
#6 scarybea...@gmail.com
@serg.glazunov: thanks for this additional manifestation of stale pointers in the browser in the speech code!
We find the use of a deliberately crashed renderer to be particularly novel / clever, so we will be topping up the original the original reward with an additional $1337.
Thanks again!
Labels: -reward-topanel reward-1337 reward-unpaid
Feb 9, 2011
#7 scarybea...@gmail.com
Invoice finalized; payment is in e-payment system.

Labels: -Restrict-View-SecurityTeam -reward-unpaid Restrict-View-SecurityNotify
Mar 21, 2011
#8 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 5, 2011
#9 jsc...@chromium.org
Batch update.
Labels: SecImpacts-None
Apr 18, 2012
#10 jsc...@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#11 jsc...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#12 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#13 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -SecSeverity-Critical -Mstone-11 -Type-Security -SecImpacts-None Cr-Content Type-Bug-Security M-11 Security-Impact-None Security-Severity-Critical
Mar 13, 2013
#14 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#15 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: Security_Severity-None
Mar 21, 2013
#16 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-None Security_Impact-None
Mar 21, 2013
#17 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-Critical -Security_Severity-None Security_Severity-Critical
Apr 5, 2013
#18 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting