New issue
Advanced search Search tips
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2014
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in void cc::PreCalculateMetaInformation<cc::LayerImpl>

Project Member Reported by ClusterFuzz, Sep 12 2014 Back to list

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6508824937627648

Fuzzer: Marty_html_twiddler
Job Type: Android_asan_chrome

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x72d7c304
Crash State:
  void cc::PreCalculateMetaInformation<cc::LayerImpl>
  void cc::PreCalculateMetaInformation<cc::LayerImpl>
  void cc::PreCalculateMetaInformation<cc::LayerImpl>
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94AKOVHk-j1iUtk_ijJMrq22ywa6CUXuLwwrDI8TRCXVlU-xI3M_vCtqzCGb66Qo-3ILOgNlMbWB916avzO7HDbxBsOYDpIpZUBSuLSa993uAuJsifbm72vxQ0xbJso7MdtqV9Bnb0sDyB7JmraEaNJj4YS24PYn7h1pTKxsigi-2w721E


Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

Filer: inferno
 
Owner: vollick@chromium.org
Status: Assigned (was: NULL)

Comment 2 by tsepez@chromium.org, Sep 12 2014

Determining the affected versions is difficult at present because this doesn't reproduce reliably for CF.  Once the issue is understood, it should be possible to figure out how far back it goes.
Project Member

Comment 3 by ClusterFuzz, Sep 12 2014

Labels: Pri-1
Status: Fixed (was: NULL)
Should be fixed with this revert. https://codereview.chromium.org/563313002/
Project Member

Comment 5 by ClusterFuzz, Sep 12 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage
This bug was introduced by my CalcDrawProps refactor which has not made it to the beta or stable branches. No merge is required.
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 18 2014

Labels: merge-merged-2125
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d1ea9b5a6670389019344279d5bb10bb7edfd139

commit d1ea9b5a6670389019344279d5bb10bb7edfd139
Author: Ian Vollick <vollick@chromium.org>
Date: Thu Sep 18 04:06:47 2014

Fix RemoveFromScrollTree and RemoveFromClipTree

These functions should set needs commit, but didn't. This lead to stale
pointers in the impl tree.

BUG= 413743 ,403866
TBR=danakj@chromium.org

Review URL: https://codereview.chromium.org/572483002

Cr-Commit-Position: refs/heads/master@{#294749}
(cherry picked from commit 66133e86b6d79534605539aa684a248e6b6205bf)

Review URL: https://codereview.chromium.org/572353003

Cr-Commit-Position: refs/branch-heads/2125@{#390}
Cr-Branched-From: b68026d94bda36dd106a3d91a098719f952a9477-refs/heads/master@{#290040}

[modify] https://chromium.googlesource.com/chromium/src.git/+/d1ea9b5a6670389019344279d5bb10bb7edfd139/cc/layers/layer.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/d1ea9b5a6670389019344279d5bb10bb7edfd139/cc/layers/layer.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/d1ea9b5a6670389019344279d5bb10bb7edfd139/cc/layers/layer_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/d1ea9b5a6670389019344279d5bb10bb7edfd139/cc/trees/tree_synchronizer.cc

Labels: Release-0-M39 Security_Impact-Stable
Project Member

Comment 10 by ClusterFuzz, Dec 19 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment