search

chromiumembedded / cef

Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
https://bitbucket.org/chromiumembedded/cef/
Other
3.38k stars 467 forks source link

Crash due to index out of bounds at CefFileDialogManager::MaybeRunDelegate #3779

Closed jaragunde closed 2 months ago

jaragunde commented 2 months ago

Describe the bug When there is a CefDialogHandler installed, it's possible to produce a crash due to an index out of bounds in CefFileDialogManager::MaybeRunDelegate. The Chromium code base doesn't always provide a description to match every entry in the extension vector. One such case is when saving a PDF via the print dialog.

To Reproduce Steps to reproduce the behavior:

  1. There needs to be a CefDialogHandler installed. Here is a modification of CefSimple that does it: https://bitbucket.org/jaragunde/cef/commits/f03a6ca1e756327af09a4187939627ad2f8b22c8
  2. Run cefsimple --enable-print-preview
  3. Open print dialog with ctrl+p or right click menu.
  4. Select "Save as PDF" and click "save".
  5. See error: 
    ../../third_party/libc++/src/include/vector:1408: assertion __n < size() failed: vector[] index out of bounds
Received signal 6
#0 0x7fdf220f9a7c base::debug::CollectStackTrace() [../../base/debug/stack_trace_posix.cc:1044:7]
#1 0x7fdf220bab7b base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:242:20]
#2 0x7fdf220bab15 base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:237:28]
#3 0x7fdf220f93e5 base::debug::(anonymous namespace)::StackDumpSignalHandler() [../../base/debug/stack_trace_posix.cc:463:3]
#4 0x7fdefcc5c9a0 (/usr/lib64/libc.so.6+0x3e99f)
#5 0x7fdefccae834 __pthread_kill_implementation
#6 0x7fdefcc5c8ee __GI_raise
#7 0x7fdefcc448ff __GI_abort
#8 0x55983a1122ae std::__Cr::__libcpp_verbose_abort()
#9 0x7fdf0fe0c918 std::__Cr::vector<>::operator[]() [../../third_party/libc++/src/include/vector:1408:3]
#10 0x7fdf0fe08ef9 CefFileDialogManager::MaybeRunDelegate() [../../cef/libcef/browser/file_dialog_manager.cc:518:41]
#11 0x7fdf0fe0955d CefFileDialogManager::RunSelectFile() [../../cef/libcef/browser/file_dialog_manager.cc:384:14]
#12 0x7fdf0fd6f6c9 CefBrowserHostBase::RunSelectFile() [../../cef/libcef/browser/browser_host_base.cc:1284:25]
#13 0x7fdf0fe169d1 (anonymous namespace)::CefSelectFileDialog::SelectFileImpl() [../../cef/libcef/browser/file_dialog_runner.cc:110:15]
#14 0x7fdf2838a0ef ui::SelectFileDialog::SelectFile() [../../ui/shell_dialogs/select_file_dialog.cc:154:3]
#15 0x7fdf3647dce0 printing::PdfPrinterHandler::OnDirectorySelected() [../../chrome/browser/ui/webui/print_preview/pdf_printer_handler.cc:535:24]
...

    Expected behavior No crash.

Versions (please complete the following information):

Additional context The code that adds an entry of "extensions" but not for "descriptions" is Chromium code located at: PdfPrinterHandler::OnDirectorySelected(): https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/webui/print_preview/pdf_printer_handler.cc;l=505