CVE-2024-7025

October 13, 2024

CVE Details

Google Chrome

Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Chromium security severity: High

Credit: Tashita Software Security
Researcher: Javier

CVE Mitre
Chrome Release Notes
Chromium Issue 367764861

Vulnerability Details

Bug

Integer Overflow: Security DCHECK failed: length <= impl.length() – offset

Backtrace

#0  0x000055d154e663cc in ImmediateCrash () at ../../base/immediate_crash.h:176
#1  HandleFatal() () at ../../base/logging.cc:1073
#2  0x000055d154e6571e in operator() () at ../../base/logging.cc:773
#3  InvokeCallback () at ../../third_party/abseil-cpp/absl/cleanup/internal/cleanup.h:87
#4  ~Cleanup () at ../../third_party/abseil-cpp/absl/cleanup/cleanup.h:106
#5  Flush() () at ../../base/logging.cc:956
#6  0x000055d154e667d9 in ~LogMessageFatal() () at ../../base/logging.cc:1078
#7  0x000055d162f47b23 in Set () at ../../third_party/blink/renderer/platform/wtf/text/string_view.h:349
#8  StringView () at ../../third_party/blink/renderer/platform/wtf/text/string_view.h:326
#9  StringView () at ../../third_party/blink/renderer/platform/wtf/text/wtf_string.h:734
#10 BuildJustificationText() () at ../../third_party/blink/renderer/core/layout/inline/justification_utils.cc:78
#11 0x000055d162f45bce in ApplyJustificationInternal() () at ../../third_party/blink/renderer/core/layout/inline/justification_utils.cc:299
#12 0x000055d162fd966f in ApplyRubyAlign() () at ../../third_party/blink/renderer/core/layout/inline/ruby_utils.cc:455
#13 0x000055d162fafeed in PlaceRubyAnnotation() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:514
#14 0x000055d162fada02 in PlaceRubyColumn() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:500
#15 0x000055d162fa8d8c in HandleItemResults() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:175
#16 0x000055d162fa809d in CreateLine() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:72
#17 0x000055d162c8eacb in CreateLine() () at ../../third_party/blink/renderer/core/layout/inline/inline_layout_algorithm.cc:393

Testcase

Advisories

CVE-2024-7025

October 13, 2024

CVE Details

Google Chrome

Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Chromium security severity: High

Credit: Tashita Software Security
Researcher: Javier

CVE Mitre
Chrome Release Notes
Chromium Issue 367764861

Vulnerability Details

Bug

Integer Overflow: Security DCHECK failed: length <= impl.length() – offset

Backtrace

#0  0x000055d154e663cc in ImmediateCrash () at ../../base/immediate_crash.h:176
#1  HandleFatal() () at ../../base/logging.cc:1073
#2  0x000055d154e6571e in operator() () at ../../base/logging.cc:773
#3  InvokeCallback () at ../../third_party/abseil-cpp/absl/cleanup/internal/cleanup.h:87
#4  ~Cleanup () at ../../third_party/abseil-cpp/absl/cleanup/cleanup.h:106
#5  Flush() () at ../../base/logging.cc:956
#6  0x000055d154e667d9 in ~LogMessageFatal() () at ../../base/logging.cc:1078
#7  0x000055d162f47b23 in Set () at ../../third_party/blink/renderer/platform/wtf/text/string_view.h:349
#8  StringView () at ../../third_party/blink/renderer/platform/wtf/text/string_view.h:326
#9  StringView () at ../../third_party/blink/renderer/platform/wtf/text/wtf_string.h:734
#10 BuildJustificationText() () at ../../third_party/blink/renderer/core/layout/inline/justification_utils.cc:78
#11 0x000055d162f45bce in ApplyJustificationInternal() () at ../../third_party/blink/renderer/core/layout/inline/justification_utils.cc:299
#12 0x000055d162fd966f in ApplyRubyAlign() () at ../../third_party/blink/renderer/core/layout/inline/ruby_utils.cc:455
#13 0x000055d162fafeed in PlaceRubyAnnotation() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:514
#14 0x000055d162fada02 in PlaceRubyColumn() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:500
#15 0x000055d162fa8d8c in HandleItemResults() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:175
#16 0x000055d162fa809d in CreateLine() () at ../../third_party/blink/renderer/core/layout/inline/logical_line_builder.cc:72
#17 0x000055d162c8eacb in CreateLine() () at ../../third_party/blink/renderer/core/layout/inline/inline_layout_algorithm.cc:393