Google Chrome/ChromeOS Bug (227197/227181/227158)
You can see all the patches in this link.;a=commit;h=9181705680e1f53fd1e895ebe84c1b7f18c5c380

Anyway, let’s search the GIT log for these bug ID’s in the chrome OS commits
and crack each and every bug.
commit 9181705680e1f53fd1e895ebe84c1b7f18c5c380
Author: Josh Horwich <>
Date:   Wed Apr 10 14:47:48 2013 -0700

    O3D: Incorporate latest patches
    – Better URL fetching/parsing (227158)
    – Better object cleanup (227181)
    – Don’t return unint’d memory (227197)
    BUG=chromium:227158, chromium:227181, chromium:227197
    TEST=emerge-lumpy o3d, run Hangouts and 1:1 video chat
    Change-Id: I98bafd360c242b0fcb0d6a3443bb95084d68f9a2
    Reviewed-by: Jorge Lucangeli Obes <>
    Commit-Queue: Josh Horwich <>
    Tested-by: Josh Horwich <>
    Reviewed-by: Noah Richards <>

$ git rev-list –parents -n 1 9181705680e1f53fd1e895ebe84c1b7f18c5c380
9181705680e1f53fd1e895ebe84c1b7f18c5c380 c8ba8f9981f258d68049dfd88d4222c5154f31d1

$ git diff c8ba8f9981f258d68049dfd88d4222c5154f31d1…9181705680e1f53fd1e895ebe84c1b7f18c5c380 –stat
media-plugins/o3d/files/o3d-227158.patch |  112 ++++++++++++++++++++++++++++++
media-plugins/o3d/files/o3d-227181.patch |   42 +++++++++++
media-plugins/o3d/files/o3d-227197.patch |   32 +++++++++
media-plugins/o3d/o3d-179976-r3.ebuild   |   80 ———————
media-plugins/o3d/o3d-179976-r4.ebuild   |   86 +++++++++++++++++++++++
5 files changed, 272 insertions(+), 80 deletions(-)

GIT repository has only the patches. Source code is placed in another repository.

svn checkout .

r195319 | | 2013-04-19 15:42:26 -0700 (Fri, 19 Apr 2013) | 3 lines

Possible fix for b/8667721

Review URL:
r194977 | | 2013-04-18 11:49:53 -0700 (Thu, 18 Apr 2013) | 3 lines

Fix an error in the destructor for

Review URL:
r194258 | | 2013-04-15 17:00:40 -0700 (Mon, 15 Apr 2013) | 3 lines

Upstreaming ChromeOS regarding whitelist.

Review URL:
r184664 | | 2013-02-26 09:18:12 -0800 (Tue, 26 Feb 2013) | 5 lines

Fix a variety of memory corruption bugs in O3D. Fixes provided by
Update third_party/libpng to r125311 to pick up and Also disables using system libpng on Linux (

TEST=built and ran on Linux; ran objdump -p and verified O3D no longer dynamically links to system libpng
Review URL:

$ svn update -r 184168
Updating ‘.’:
U    import\cross\
U    core\cross\
U    core\cross\
U    core\cross\buffer.h
U    core\cross\
U    core\cross\
U    core\cross\
U    core\cross\
U    core\cross\
U    core\cross\
U    core\cross\
U    core\cross\shape.h
U    core\cross\
U    plugin\npapi_host_control\win\
U    plugin\cross\
U    plugin\cross\
U    build\version.gypi
Updated to revision 184168.

Better object cleanup (Bug 227181)
———————————– (Somebody is watching the logs closely ;-))
    “Shape” Objects owns a set of “Element” object.
    Each “Element” object owns a set of “DrawElement” objects.
    Each “Element” object owns a pointer to a “Shape” object.
    And each “DrawElement” object owns a pointer to a “Element” object.
    The problem is, when we delete the “Element” object, each “DrawElement”
    object owns a dangling pointer to owner “Element” object. Similarly, when we delete the
    “Shape” object, each “Element” object owns a dangling pointer to
    the owner “Shape” object. The real problem is, each and every “Element” and
    “DrawElement” object reference is stored as part of “pack”. We use “pack” to create
    and maintain these objects. The “use-after-free” is happening in “SetOwner()”
    functions of both “Element” and “Shape”.
    The fix is to, clear off these dangling pointers.
    This bug is part of O3D implementation. Initially O3D was given
    as a plugin for windows platform, later on Google discontinued
    it’s support. They still use(this codebase) it in their OS, i.e ChromeOS.



Don’t return unint’d memory (Bug 227197)
    Information Leak bug.
    The bug is, if there a bug in the “Buffer::Set()” method, the allocated
    memory is left uninitialized. This can lead to information disclosure.
    Fix: If the Buffer::Set() fails then they clearoff the memory allocated for that
    object. Buffer is an abstract class and it is implemented by various classes.
   bool Buffer::Set(o3d::RawData *raw_data,
    +                  size_t offset,
    +                  size_t length) {
    ++  bool ret = InternalSet(raw_data, offset, length);
    ++  if (!ret) {
    ++    Free();
    ++  }


Better URL fetching/parsing (Bug 227158)
    Added whitelisting to o3d as part of PPAPI plugin.

This entry was posted in Chrome, chrome OS, Google and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s