New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in AvatarMenuBubbleView::LinkClicked
Project Member Reported by ClusterFuzz, Oct 10 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6209429543321600

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AvatarMenuBubbleView::LinkClicked
  views::Link::OnKeyPressed
  views::View::OnKeyEvent
  

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95B7zYpvgEVCKbb7uINE-Q1q0fTt8T0qcetb4CNXXaJSssXQtcfG_6n8ICXezQTWRj0Ix6T3jE6Yobt31qrqJRNzJ697zQpZgPVyB9wigdCkYTsus86upGn5rp5llKeK0n21nN6HuFufQlpNm1PpwQq54811g
>>


Additional requirements: Requires Gestures

Filer: inferno
 
Owner: akuegel@chromium.org
Status: Assigned
Author: akuegel@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a9c2d6481ca1228e72621041db3fb052480c08bb
Time: Fri May 31 14:37:14 2013
The CL last changed line 680 of file avatar_menu_bubble_view.cc, which is stack frame 0.
Project Member Comment 2 by ClusterFuzz, Oct 11 2014
Labels: Pri-1
Labels: M-39
Status: Started
Thanks for the report. The variable was missing a NULL initialization in the constructor. I have a CL ready to fix this.
Project Member Comment 5 by bugdroid1@chromium.org, Oct 15 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db

commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db
Author: akuegel <akuegel@chromium.org>
Date: Wed Oct 15 10:41:34 2014

Initialize |switch_profile_link_| in the constructor.

This should fix the use of the uninitialized value in the LinkClicked() method.
Currently, the variable is only initialized for supervised user profiles,
but LinkClicked() is also called for other profiles.

BUG= 422482 

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}

[modify] https://chromium.googlesource.com/chromium/src.git/+/d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Status: Fixed
Project Member Comment 7 by ClusterFuzz, Oct 15 2014
ClusterFuzz has detected this issue as fixed in range 299664:299673.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6209429543321600

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AvatarMenuBubbleView::LinkClicked
  views::Link::OnKeyPressed
  views::View::OnKeyEvent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=299664:299673

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95B7zYpvgEVCKbb7uINE-Q1q0fTt8T0qcetb4CNXXaJSssXQtcfG_6n8ICXezQTWRj0Ix6T3jE6Yobt31qrqJRNzJ697zQpZgPVyB9wigdCkYTsus86upGn5rp5llKeK0n21nN6HuFufQlpNm1PpwQq54811g
>>


Additional requirements: Requires Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 8 by ClusterFuzz, Oct 15 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: nordi...@gmail.com
Labels: -Merge-Triage Merge-Requested
I would like to request merge permission to the M-39 branch. This patch has been included in Canary since a few days, and it seems to cause no problems.
Comment 11 by amin...@google.com, Oct 20 2014
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Project Member Comment 12 by bugdroid1@chromium.org, Oct 22 2014
Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/875dc17184c77f2398a56efd9f25c1b6d780ac28

commit 875dc17184c77f2398a56efd9f25c1b6d780ac28
Author: Adrian Kuegel <akuegel@chromium.org>
Date: Wed Oct 22 08:21:39 2014

Merge 299672 "Initialize |switch_profile_link_| in the constructor."

BUG= 422482 
TBR=sky@chromium.org

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}
(cherry picked from commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db)

Review URL: https://codereview.chromium.org/667413002

Cr-Commit-Position: refs/branch-heads/2171@{#227}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/875dc17184c77f2398a56efd9f25c1b6d780ac28/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Labels: Merge-Requested
I would like to request merge permission to the M-38 branch.
Comment 14 by amin...@google.com, Oct 28 2014
Labels: m39-ignore
Adding an ignore label for M39 as this has already been merged there.  M38 TPM will follow up independently.
Labels: -Merge-Requested Merge-Approved
Project Member Comment 16 by bugdroid1@chromium.org, Nov 5 2014
Labels: -Merge-Approved merge-merged-2125
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2e64aac2c48fdc52f003fc356e4b2a7514a750d7

commit 2e64aac2c48fdc52f003fc356e4b2a7514a750d7
Author: Adrian Kuegel <akuegel@chromium.org>
Date: Wed Nov 05 11:02:47 2014

Merge 299672 "Initialize |switch_profile_link_| in the constructor."

BUG= 422482 
TBR=sky@chromium.org

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}
(cherry picked from commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db)

Review URL: https://codereview.chromium.org/700133002

Cr-Commit-Position: refs/branch-heads/2125@{#601}
Cr-Branched-From: b68026d94bda36dd106a3d91a098719f952a9477-refs/heads/master@{#290040}

[modify] https://chromium.googlesource.com/chromium/src.git/+/2e64aac2c48fdc52f003fc356e4b2a7514a750d7/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Labels: -m39-ignore Release-0-M39
Project Member Comment 18 by ClusterFuzz, Jan 21 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 19 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment