159262 – (CVE-2016-4764) Crash when 'input' event handler for input[type=color] changes the input type

Bug 159262 (CVE-2016-4764) - Crash when 'input' event handler for input[type=color] changes the input type

Summary: Crash when 'input' event handler for input[type=color] changes the input type

Status:	RESOLVED FIXED

Alias:	CVE-2016-4764

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-06-29 07:22 PDT by David Kilzer (:ddkilzer)
Modified:	2017-10-11 10:28 PDT (History)
CC List:	8 users (show)

See Also:	https://bugs.chromium.org/p/chromium/issues/detail?id=569170

Attachments
Patch v1 (5.86 KB, patch) 2016-06-29 07:27 PDT, David Kilzer (:ddkilzer)	dbates: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2016-06-29 07:22:50 PDT

Crash when 'input' event handler for input[type=color] changes the input type.

This is the same issue as described in this Blink security bug:

Heap-use-after-free in blink::ColorInputType::didChooseColor 
<https://bugs.chromium.org/p/chromium/issues/detail?id=569170>

Reproduced under ASan using Blink's layout test.

Comment 1 David Kilzer (:ddkilzer) 2016-06-29 07:23:03 PDT

<rdar://problem/27020404>

Comment 2 David Kilzer (:ddkilzer) 2016-06-29 07:27:25 PDT

Created attachment 282345 [details]
Patch v1

Comment 3 Daniel Bates 2016-06-29 09:26:51 PDT

Comment on attachment 282345 [details]
Patch v1

This looks sane to me.

Comment 4 David Kilzer (:ddkilzer) 2016-06-29 09:51:28 PDT

Committed r202626: <http://trac.webkit.org/changeset/202626>