Updates:
Labels: Security SecSeverity-High Mstone-4
Comment #2 on issue 28699 by scarybeasts: Crash on mouse movement on
sunrise.ch
http://code.google.com/p/chromium/issues/detail?id=28699
Looks like a use-after-free?
The RenderText object is full of junk.
$4 = {<WebCore::RenderText> = {<WebCore::RenderObject> =
{<WebCore::CachedResourceClient> = {<WTF::FastAllocBase> = {<No data
fields>},
_vptr.CachedResourceClient = 0x0},
m_style = {<WTF::FastAllocBase> = {<No data fields>},
m_ptr = 0x7fffec0452b0}, m_node = 0x0, m_parent =
0x4130000041300000,
...
(e.g. look at m_parent).
Eventual crash for me is due to wild m_ptr in the m_text field:
m_text = {<WTF::FastAllocBase> = {<No data fields>}, m_ptr = 0x3f800000},
Marking security.... use-after-free in renderer is usually "high" risk.
would be nice
to fix for M4.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
