[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 711 - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of

Giuseppe Iuculano iuculano at debian.org
Fri Feb 11 16:09:38 UTC 2011 

Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 711
Revision Id: iuculano at debian.org-20110211160938-eepmwvyf0u504im1
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message :   - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of
    Google. 
  - Medium Possible failure to terminate process on out-of-memory condition.
    Credit to David Warren of CERT/CC.


--------------------------------------------------------
  ** Added :
        - debian/patches/69970.patch
        - debian/patches/70456.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2011-02-11 14:54:03 +0000
+++ b/debian/changelog	2011-02-11 16:09:38 +0000
@@ -4,8 +4,12 @@
     - High Stale pointer in animation event handling. Credit to Rik Cabanier.
     - High Stale pointer with anonymous block handling. Credit to Martin
       Barbella.
+    - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of
+      Google. 
+    - Medium Possible failure to terminate process on out-of-memory condition.
+      Credit to David Warren of CERT/CC.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Feb 2011 15:53:13 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Feb 2011 17:08:57 +0100
 
 chromium-browser (6.0.472.63~r59945-5+squeeze1) stable-security; urgency=high
 

=== added file 'debian/patches/69970.patch'
--- a/debian/patches/69970.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/69970.patch	2011-02-11 16:09:38 +0000
@@ -0,0 +1,14 @@
+--- a/src/third_party/WebKit/WebCore/bindings/v8/V8NPUtils.cpp
++++ b/src/third_party/WebKit/WebCore/bindings/v8/V8NPUtils.cpp
+@@ -65,8 +65,9 @@ void convertV8ObjectToNPVariant(v8::Loca
+         VOID_TO_NPVARIANT(*result);
+     else if (object->IsString()) {
+         v8::String::Utf8Value utf8(object);
+-        char* utf8_chars = strdup(*utf8);
+-        STRINGN_TO_NPVARIANT(utf8_chars, utf8.length(), *result);
++        char* utf8Chars = reinterpret_cast<char*>(malloc(utf8.length()));
++        memcpy(utf8Chars, *utf8, utf8.length());
++        STRINGN_TO_NPVARIANT(utf8Chars, utf8.length(), *result);
+     } else if (object->IsObject()) {
+         DOMWindow* window = V8Proxy::retrieveWindow(V8Proxy::currentContext());
+         NPObject* npobject = npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(object), window);

=== added file 'debian/patches/70456.patch'
--- a/debian/patches/70456.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/70456.patch	2011-02-11 16:09:38 +0000
@@ -0,0 +1,44 @@
+--- a/src/base/debug_util_posix.cc
++++ b/src/base/debug_util_posix.cc
+@@ -256,6 +256,9 @@ bool DebugUtil::BeingDebugged() {
+ // static
+ void DebugUtil::BreakDebugger() {
+   DEBUG_BREAK();
++#if defined(NDEBUG)
++  _exit(1);
++#endif
+ }
+ 
+ StackTrace::StackTrace() {
+--- a/src/chrome/app/chrome_dll_main.cc
++++ b/src/chrome/app/chrome_dll_main.cc
+@@ -155,6 +155,7 @@ void InvalidParameter(const wchar_t* exp
+                       const wchar_t* file, unsigned int line,
+                       uintptr_t reserved) {
+   __debugbreak();
++  _exit(1);
+ }
+ 
+ void PureCall() {
+@@ -180,6 +181,7 @@ void OnNoMemory() {
+   // the buffer is then used, it provides a handy mapping of memory starting at
+   // address 0 for an attacker to utilize.
+   __debugbreak();
++  _exit(1);
+ }
+ #pragma warning(pop)
+ 
+--- a/src/chrome/plugin/plugin_main.cc
++++ b/src/chrome/plugin/plugin_main.cc
+@@ -120,8 +120,10 @@ int PluginMain(const MainFunctionParams&
+         BOOL result = run_security_tests(&test_count);
+         DCHECK(result) << "Test number " << test_count << " has failed.";
+         // If we are in release mode, crash or debug the process.
+-        if (!result)
++        if (!result) {
+           __debugbreak();
++	  _exit(1);
++	}
+       }
+ 
+       FreeLibrary(sandbox_test_module);

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-02-11 14:54:03 +0000
+++ b/debian/patches/series	2011-02-11 16:09:38 +0000
@@ -54,3 +54,5 @@
 68244.patch
 67234.patch
 69556.patch
+69970.patch
+70456.patch

More information about the Pkg-chromium-commit mailing list