New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Use other robhogan account instead.
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to blink::PODRedBlackTree<blink::PODInterval<int, blink::FloatingObject *> >::Node from invalid vptr;PODIntervalTree.h:175:33

Project Member Reported by ClusterFuzz, Oct 15 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6239728859873280

Fuzzer: Inferno_twister
Job Type: Linux_ubsan_vptr_content_shell_drt

Crash Type: Bad-cast
Crash Address: 0x020326030040
Crash State:
  Bad-cast to blink::PODRedBlackTree<blink::PODInterval<int, blink::FloatingObject *> >::Node from invalid vptr
  PODIntervalTree.h:175:33
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=298926:299200

Minimized Testcase (4.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95r6KiH6V_wT9gIccq79sVPp45CvmmB8P4HHviPrIwNd1iRisbbM0uPvSmKoADgLf-rc5sbPCXKveW1wl5KVhXLhaCXBSvaaqS8IKoNJd2jQOYkb9DgQ7LCeP9_D0qJivfXLaIxlrPmeNC1VOXAq2cCTikRaQ

Additional requirements: Requires HTTP

Filer: inferno
 
Cc: robho...@gmail.com
Owner: robhogan@chromium.org
Status: Assigned
This looks like use-after-free introduced from https://chromium.googlesource.com/chromium/blink/+/a32f57ab975efc252367d0713d3b184824c43bf4
Project Member

Comment 2 by ClusterFuzz, Oct 16 2014

Labels: M-40 Pri-1
Project Member

Comment 3 by ClusterFuzz, Oct 16 2014

Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

Comment 4 by robho...@gmail.com, Oct 16 2014

I'm treating this as a crash that my CL unmasked rather than caused. I'll still take it though!
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 21 2014

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=184123

------------------------------------------------------------------
r184123 | robhogan@gmail.com | 2014-10-21T22:19:32.523376Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/shapes/crash-image-changed-during-layout-expected.txt?r1=184123&r2=184122&pathrev=184123
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/RenderBox.cpp?r1=184123&r2=184122&pathrev=184123
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/shapes/crash-image-changed-during-layout.html?r1=184123&r2=184122&pathrev=184123

Don't delete objects from the floating list during layout

In https://codereview.chromium.org/635533003 I was wrong to treat isInPerformLayout
as equivalent to when a shape is being computed. This crash reveals there are cases
where that doesn't hold - so reinstating the check.

This is a reduced version of the clusterfuzz test - it resisted my attempts to remove
anything further from it.

BUG= 423891 

Review URL: https://codereview.chromium.org/647953004
-----------------------------------------------------------------
Status: Fixed
Project Member

Comment 7 by ClusterFuzz, Oct 22 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-NA
Labels: -Security_Impact-Head -M-40 -Merge-NA Security_Impact-Stable M-39 Merge-Requested
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Project Member

Comment 10 by bugdroid1@chromium.org, Nov 3 2014

Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=184801

------------------------------------------------------------------
r184801 | amineer@chromium.org | 2014-11-03T20:53:54.547723Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/2171/Source/core/rendering/RenderBox.cpp?r1=184801&r2=184800&pathrev=184801

Merge 184123 "Don't delete objects from the floating list during..."

Merging to branch
BUG= 423891 

> Don't delete objects from the floating list during layout
> 
> In https://codereview.chromium.org/635533003 I was wrong to treat isInPerformLayout
> as equivalent to when a shape is being computed. This crash reveals there are cases
> where that doesn't hold - so reinstating the check.
> 
> This is a reduced version of the clusterfuzz test - it resisted my attempts to remove
> anything further from it.
> 
> BUG= 423891 
> 
> Review URL: https://codereview.chromium.org/647953004

TBR=robhogan@gmail.com

Review URL: https://codereview.chromium.org/692563005
-----------------------------------------------------------------
Labels: Release-0-M39
Project Member

Comment 12 by ClusterFuzz, Jan 28 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment