New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 330626: Heap-use-after-free in WebCore::RenderInline::willBeDestroyed

Reported by ClusterFuzz, Dec 24 2013 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5091034006552576

Fuzzer: Miaubiz_css_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61200002df80
Crash State:
  - crash stack -
  WebCore::RenderInline::willBeDestroyed
  WebCore::RenderObject::destroy
  - free stack -
  WebCore::RenderBlock::removeChild
  WebCore::RenderObject::willBeDestroyed
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=241803:241817

Minimized Testcase (0.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97wtDtQIVVy3BNEkxSazfPCJD15mYFU18MAIDYJyCwnGVzm7XHTwjciOaurCWsKZLtQNpMobnl3EoYDOLcyk1ndXoz2EezmuBpCZvru8lSK7g7sUnNRqnAWBsaEHJSIc19fyvONLTuTi5cHc3irAjkk31MfLw
 

Comment 1 by ClusterFuzz, Dec 24 2013

Project Member
Labels: Pri-1 ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

Comment 2 by mbarbe...@chromium.org, Dec 30 2013

Cc: infe...@chromium.org
Any idea who a good owner for this might be, inferno@?

Comment 3 by infe...@chromium.org, Jan 1 2014

 Issue 331029  has been merged into this issue.

Comment 4 by infe...@chromium.org, Jan 1 2014

Cc: -infe...@chromium.org attek...@gmail.com
Owner: jchaffraix@chromium.org
Status: Fixed
This is stable continuation issue, regression from http://src.chromium.org/viewvc/blink?view=rev&revision=164125. confirmed locally.

reverted in r164405.

Comment 5 by ClusterFuzz, Jan 1 2014

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

Comment 6 by ClusterFuzz, Jan 4 2014

Project Member
ClusterFuzz has detected this issue as fixed in range 242799:242830.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5091034006552576

Fuzzer: Miaubiz_css_fuzzer
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61200002df80
Crash State:
  - crash stack -
  WebCore::RenderInline::willBeDestroyed
  WebCore::RenderObject::destroy
  - free stack -
  WebCore::RenderBlock::removeChild
  WebCore::RenderObject::willBeDestroyed
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=241803:241817
Fixed: https://cluster-fuzz.appspot.com/revisions?range=242799:242830

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wtDtQIVVy3BNEkxSazfPCJD15mYFU18MAIDYJyCwnGVzm7XHTwjciOaurCWsKZLtQNpMobnl3EoYDOLcyk1ndXoz2EezmuBpCZvru8lSK7g7sUnNRqnAWBsaEHJSIc19fyvONLTuTi5cHc3irAjkk31MfLw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 7 by dharani@google.com, Jan 7 2014

Labels: -M-33 -Merge-Triage M-34 Merge-NA

Comment 8 Deleted

Comment 9 Deleted

Comment 10 by timwillis@chromium.org, Apr 5 2014

Labels: CVE-2014-1722

Comment 11 by ClusterFuzz, Apr 9 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 12 by timwillis@chromium.org, Apr 14 2014

Labels: -reward-topanel reward-unpaid reward-2000
Thanks for the report - $2000 for this one. I'll start the payment process today.

Comment 13 by timwillis@chromium.org, Jul 22 2014

Labels: -reward-unpaid reward-inprocess

Comment 14 by laforge@google.com, Jan 9 2015

Labels: -Cr-Blink-Rendering Cr-Blink-Layout
Migrate from Cr-Blink-Rendering to Cr-Blink-Layout

Comment 15 by sheriffbot@chromium.org, Jun 22 2016

Project Member
Labels: -ReleaseBlock-Beta

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 19 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment