My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 77349: When object destroyed, its select file dialog is not informed to cleared its listener which can call back that destroyed object
1 person starred this issue and may be notified of changes. Back to list
 
Reported by kuz...@gmail.com, Mar 24, 2011
Test chrome 12.0.712.0 dev windows xp sp3


selectPrivateKeyPath crash.crx
965 bytes   Download
Mar 25, 2011
#1 infe...@chromium.org
(No comment was entered for this change.)
Summary: Crash due to selectfiledialog not cleared in extensiondomhandler
Status: Assigned
Owner: infernochromium@gmail.com
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals SecSeverity-High OS-All Mstone-11
Mar 25, 2011
#2 infe...@chromium.org
(No comment was entered for this change.)
Labels: Feature-Extensions
Mar 25, 2011
#3 infe...@chromium.org
(No comment was entered for this change.)
Summary: When object destroyed, its select file dialog is not informed to cleared its listener which can call back that destroyed object
Status: Started
Cc: brettw%chromium.org@gtempaccount.com erikkay%chromium.org@gtempaccount.com
Mar 26, 2011
#5 infe...@chromium.org
This bug falls b/w SecCritical & SecHigh becoz of the need of extensions vector. I have corrected 5 other places in code where this could be possible.
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel
Mar 27, 2011
#6 kuz...@gmail.com
Yes
chrome.send('selectDownloadLocation') int crash
selectExtensionPath() need select something

Mar 27, 2011
#7 infe...@chromium.org
kuzzcc, can you please explain your last comment in detail. Did you try testing the fix ?
Mar 27, 2011
#8 kuz...@gmail.com
chrome 12.0.712.0 dev
====
go to chrome://settings/advanced
javascript:chrome.send('selectDownloadLocation') int crash 

go to chrome://extensions/
javascript:loadExtension() need select something after tab remove then crash
javascript:selectExtensionPath() need click ok then crash

other dialogs

chrome 12.0.717.0 (79515) no crash :)
Mar 27, 2011
#9 infe...@chromium.org
Great. Yeah i fixed it just before we branched for 717 over the weekend. So, that is why you are not seeing it anymore :) Thanks a lot for testing, sorry i got a little confused by your last comment that there is some other usecase left. Awesome job hunting down this. Keep up your ninja extension hacking skills.
Mar 29, 2011
#10 scarybea...@gmail.com
Prodding down to SecSeverity-Medium. In the past, we've flagged browser memory corruptions via evil extensions as "Medium", if they require the powerful tabs permission.
It will still be considered by the rewards panel!
Labels: -SecSeverity-High SecSeverity-Medium
Mar 29, 2011
#11 scarybea...@gmail.com
First part of merge: r79761
Labels: ReleaseBlock-Stable
Mar 29, 2011
#12 bugdro...@chromium.org
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=79761

------------------------------------------------------------------------
r79761 | cevans@chromium.org | Tue Mar 29 16:24:16 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/696/src/chrome/browser/ui/gtk/certificate_dialogs.cc?r1=79761&r2=79760&pathrev=79761
 M http://src.chromium.org/viewvc/chrome/branches/696/src/chrome/browser/ui/webui/options/advanced_options_handler.cc?r1=79761&r2=79760&pathrev=79761
 M http://src.chromium.org/viewvc/chrome/branches/696/src/chrome/browser/extensions/extensions_ui.cc?r1=79761&r2=79760&pathrev=79761
 M http://src.chromium.org/viewvc/chrome/branches/696/src/chrome/browser/extensions/extension_bookmarks_module.cc?r1=79761&r2=79760&pathrev=79761
 M http://src.chromium.org/viewvc/chrome/branches/696/src/chrome/browser/ui/webui/options/certificate_manager_handler.cc?r1=79761&r2=79760&pathrev=79761

Merge 79507 - Before object destruction, make sure that its select dialogs are told that we
are gone so that they don't try and call back to us. This bug was reproducible
on extensions, but similar occurences were found in code auditing.

BUG=77349
TEST=None
Review URL: http://codereview.chromium.org/6747007

TBR=aarya@google.com
Review URL: http://codereview.chromium.org/6770026
------------------------------------------------------------------------
Mar 29, 2011
#13 scarybea...@gmail.com
Ah, that's the full merge, great. svn merge confused me.
Status: FixUnreleased
Mar 31, 2011
#14 scarybea...@gmail.com
(No comment was entered for this change.)
Cc: a...@chromium.org
Apr 14, 2011
#15 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -reward-topanel
Apr 22, 2011
#16 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-1450
Oct 4, 2011
#17 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#18 jsc...@chromium.org
Lifting view restrictions.
Apr 18, 2012
#19 jsc...@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#20 jsc...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#21 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#22 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Type-Security -Area-Internals -SecSeverity-Medium -Mstone-11 -Feature-Extensions -SecImpacts-Stable Cr-Platform-Extensions Security-Severity-Medium Cr-Internals Security-Impact-Stable M-11 Type-Bug-Security
Mar 13, 2013
#23 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#24 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Mar 21, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-Medium Security_Severity-Medium
Sign in to add a comment

Powered by Google Project Hosting