Google Chrome/ChromeOS Bug (227197/227181/227158)

 

http://googlechromereleases.blogspot.com/2013/04/stable-channel-update-for-chrome-os.html
    https://code.google.com/p/chromium/issues/detail?id=227197
    https://code.google.com/p/chromium/issues/detail?id=227181
    https://code.google.com/p/chromium/issues/detail?id=227158
    https://code.google.com/p/chromium/issues/detail?id=196456
   
You can see all the patches in this link.
http://git.chromium.org/gitweb/?p=chromiumos/overlays/chromiumos-overlay.git;a=commit;h=9181705680e1f53fd1e895ebe84c1b7f18c5c380

Anyway, let’s search the GIT log for these bug ID’s in the chrome OS commits
and crack each and every bug.
   
commit 9181705680e1f53fd1e895ebe84c1b7f18c5c380
Author: Josh Horwich <jhorwich@chromium.org>
Date:   Wed Apr 10 14:47:48 2013 -0700

    O3D: Incorporate latest patches
   
    – Better URL fetching/parsing (227158)
    – Better object cleanup (227181)
    – Don’t return unint’d memory (227197)
   
    BUG=chromium:227158, chromium:227181, chromium:227197
    TEST=emerge-lumpy o3d, run Hangouts and 1:1 video chat
   
    Change-Id: I98bafd360c242b0fcb0d6a3443bb95084d68f9a2
    Reviewed-on:
https://gerrit.chromium.org/gerrit/47782
    Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
    Commit-Queue: Josh Horwich <jhorwich@google.com>
    Tested-by: Josh Horwich <jhorwich@google.com>
    Reviewed-by: Noah Richards <noahric@chromium.org>
   

$ git rev-list –parents -n 1 9181705680e1f53fd1e895ebe84c1b7f18c5c380
9181705680e1f53fd1e895ebe84c1b7f18c5c380 c8ba8f9981f258d68049dfd88d4222c5154f31d1

$ git diff c8ba8f9981f258d68049dfd88d4222c5154f31d1…9181705680e1f53fd1e895ebe84c1b7f18c5c380 –stat
media-plugins/o3d/files/o3d-227158.patch |  112 ++++++++++++++++++++++++++++++
media-plugins/o3d/files/o3d-227181.patch |   42 +++++++++++
media-plugins/o3d/files/o3d-227197.patch |   32 +++++++++
media-plugins/o3d/o3d-179976-r3.ebuild   |   80 ———————
media-plugins/o3d/o3d-179976-r4.ebuild   |   86 +++++++++++++++++++++++
5 files changed, 272 insertions(+), 80 deletions(-)

 
GIT repository has only the patches. Source code is placed in another repository.

svn checkout https://src.chromium.org/chrome/trunk/o3d .

————————————————————————
r195319 | shaowei@google.com | 2013-04-19 15:42:26 -0700 (Fri, 19 Apr 2013) | 3 lines

Possible fix for b/8667721

Review URL: https://codereview.chromium.org/14272009
————————————————————————
r194977 | shaowei@google.com | 2013-04-18 11:49:53 -0700 (Thu, 18 Apr 2013) | 3 lines

Fix an error in the destructor for Shape.cc

Review URL: https://codereview.chromium.org/14302004
————————————————————————
r194258 | shaowei@google.com | 2013-04-15 17:00:40 -0700 (Mon, 15 Apr 2013) | 3 lines

Upstreaming ChromeOS regarding whitelist.

Review URL: https://codereview.chromium.org/13999006
————————————————————————
r184664 | tschmelcher@chromium.org | 2013-02-26 09:18:12 -0800 (Tue, 26 Feb 2013) | 5 lines

Fix a variety of memory corruption bugs in O3D. Fixes provided by scarybeasts@gmail.com.
Update third_party/libpng to r125311 to pick up https://codereview.chromium.org/9363013 and https://codereview.chromium.org/9546033. Also disables using system libpng on Linux (https://chromiumcodereview.appspot.com/9365007).

TEST=built and ran on Linux; ran objdump -p and verified O3D no longer dynamically links to system libpng
Review URL: https://codereview.chromium.org/12317108
————————————————————————

$ svn update -r 184168
Updating ‘.’:
U    import\cross\raw_data.cc
U    core\cross\element.cc
U    core\cross\texture.cc
U    core\cross\buffer.h
U    core\cross\primitive.cc
U    core\cross\pack.cc
U    core\cross\bitmap.cc
U    core\cross\param_array.cc
U    core\cross\shape.cc
U    core\cross\canvas.cc
U    core\cross\buffer.cc
U    core\cross\shape.h
U    core\cross\skin.cc
U    plugin\npapi_host_control\win\np_browser_proxy.cc
U    plugin\cross\whitelist.cc
U    plugin\cross\texture_static_glue.cc
U    DEPS
U    build\version.gypi
Updated to revision 184168.

Better object cleanup (Bug 227181)
———————————–
   http://www.scip.ch/en/?vuldb.8443 (Somebody is watching the logs closely ;-))
   
    “Shape” Objects owns a set of “Element” object.
    Each “Element” object owns a set of “DrawElement” objects.
   
    Each “Element” object owns a pointer to a “Shape” object.
    And each “DrawElement” object owns a pointer to a “Element” object.
   
    The problem is, when we delete the “Element” object, each “DrawElement”
    object owns a dangling pointer to owner “Element” object. Similarly, when we delete the
    “Shape” object, each “Element” object owns a dangling pointer to
    the owner “Shape” object. The real problem is, each and every “Element” and
    “DrawElement” object reference is stored as part of “pack”. We use “pack” to create
    and maintain these objects. The “use-after-free” is happening in “SetOwner()”
    functions of both “Element” and “Shape”.
   
    The fix is to, clear off these dangling pointers.
   
    This bug is part of O3D implementation. Initially O3D was given
    as a plugin for windows platform, later on Google discontinued
    it’s support. They still use(this codebase) it in their OS, i.e ChromeOS.

    image

image

Don’t return unint’d memory (Bug 227197)
——————————————-
    Information Leak bug.
   
    The bug is, if there a bug in the “Buffer::Set()” method, the allocated
    memory is left uninitialized. This can lead to information disclosure.
   
    Fix: If the Buffer::Set() fails then they clearoff the memory allocated for that
    object. Buffer is an abstract class and it is implemented by various classes.
   
   bool Buffer::Set(o3d::RawData *raw_data,
    +                  size_t offset,
    +                  size_t length) {
    ++  bool ret = InternalSet(raw_data, offset, length);
    ++  if (!ret) {
    ++    Free();
    ++  }

image

Better URL fetching/parsing (Bug 227158)
——————————————-
    Added whitelisting to o3d as part of PPAPI plugin.

About these ads
This entry was posted in Chrome, chrome OS, Google and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s