New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Duplicate
Merged: issue 134897
Owner: ----
Closed: Aug 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 139217: Stack-buffer-underflow in WebCore::RenderListBox::setHasVerticalScrollbar

Reported by infe...@chromium.org, Jul 26 2012 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=84640706

Fuzzer: Inferno_twister

Crash Type: Stack-buffer-underflow READ 8
Crash Address: 0x7fffdd011a60
Crash State:
  - crash stack -
  WebCore::RenderListBox::setHasVerticalScrollbar
  WebCore::RenderListBox::~RenderListBox
  WebCore::TextControlInnerTextElement::customStyleForRenderer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=148245:148259

Minimized Testcase (0.66 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94huuAFKyjNYHzZ3UtzVS1al97M66BS6mr33F3QVsY6KW1Ggiy2rhNt4GTFHPpm7u25oOClKIfN1nw5rjO3QBiOn6wI87GX7xwK7aFu4wkqjjrfvEoSNOHg1fKzWZ1XAe6q4eCO2eHohJS26DAeCckzEWT1QEoosFjaORlfeDabgx5jQuM
<style>
.c5 { border-bottom: indigo solid; display: run-in; -webkit-appearance: none;</style><script>
var docElement = document.body ? document.body : document.documentElement;
function initCF() {
try { tCF30 = document.createElementNS("http://www.w3.org/1999/xhtml", "textarea"); } catch(e) {}
try { docElement.appendChild(tCF30); } catch(e) {}
try { tCF80 = document.createElementNS("http://www.w3.org/1999/xhtml", "legend"); } catch(e) {}
try { docElement.appendChild(tCF80); } catch(e) {}
setTimeout("CFcrash()", 432);
}
document.addEventListener("DOMContentLoaded", initCF, false);
function CFcrash() {
try { tCF30.setAttribute("class", "c5"); } catch(e) {}
}</script>>
 

Comment 1 by infe...@chromium.org, Aug 1 2012

Mergedinto: 134897
Status: Duplicate

Comment 2 by ClusterFuzz, Aug 3 2012

Project Member
ClusterFuzz has detected this issue as fixed in range 149762:149848.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=84640706

Fuzzer: Inferno_twister

Crash Type: Stack-buffer-underflow READ 8
Crash Address: 0x7fffdd011a60
Crash State:
  - crash stack -
  WebCore::RenderListBox::setHasVerticalScrollbar
  WebCore::RenderListBox::~RenderListBox
  WebCore::TextControlInnerTextElement::customStyleForRenderer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=148245:148259
Fixed: https://cluster-fuzz.appspot.com/revisions?range=149762:149848

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94huuAFKyjNYHzZ3UtzVS1al97M66BS6mr33F3QVsY6KW1Ggiy2rhNt4GTFHPpm7u25oOClKIfN1nw5rjO3QBiOn6wI87GX7xwK7aFu4wkqjjrfvEoSNOHg1fKzWZ1XAe6q4eCO2eHohJS26DAeCckzEWT1QEoosFjaORlfeDabgx5jQuM

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 3 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:134897
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 4 by bugdroid1@chromium.org, Jan 18 2013

Project Member
Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.

Comment 5 by bugdroid1@chromium.org, Jan 18 2013

Project Member
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.

Comment 6 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -Type-Security -SecSeverity-High -SecImpacts-None -Mstone-22 -Stability-AddressSanitizer Cr-Content Type-Bug-Security M-22 Security-Impact-None Security-Severity-High Performance-Memory-AddressSanitizer

Comment 7 by bugdroid1@chromium.org, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 8 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: Security_Severity-None

Comment 9 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-None Security_Impact-None

Comment 10 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High -Security_Severity-None Security_Severity-High

Comment 11 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 12 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 13 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityTeam -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.

Comment 14 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment